Vulnerability Description
eDEX-UI is a science fiction terminal emulator. Versions 2.2.8 and prior are vulnerable to cross-site websocket hijacking. When running eDEX-UI and browsing the web, a malicious website can connect to eDEX's internal terminal control websocket, and send arbitrary commands to the shell. The project has been archived since 2021, and as of time of publication there are no plans to patch this issue and release a new version. Some workarounds are available, including shutting down eDEX-UI when browsing the web and ensuring the eDEX terminal runs with lowest possible privileges.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Edex-Ui Project | Edex-Ui | <= 2.2.8 |
Related Weaknesses (CWE)
References
- https://christian-schneider.net/CrossSiteWebSocketHijacking.htmlTechnical Description
- https://github.com/GitSquared/edex-ui/blob/04a00c4079908788b371c6ecdefff96d0d995Product
- https://github.com/GitSquared/edex-ui/security/advisories/GHSA-q8xc-f2wf-ffh9Vendor Advisory
- https://christian-schneider.net/CrossSiteWebSocketHijacking.htmlTechnical Description
- https://github.com/GitSquared/edex-ui/blob/04a00c4079908788b371c6ecdefff96d0d995Product
- https://github.com/GitSquared/edex-ui/security/advisories/GHSA-q8xc-f2wf-ffh9Vendor Advisory
FAQ
What is CVE-2023-30856?
CVE-2023-30856 is a vulnerability with a CVSS score of 8.3 (HIGH). eDEX-UI is a science fiction terminal emulator. Versions 2.2.8 and prior are vulnerable to cross-site websocket hijacking. When running eDEX-UI and browsing the web, a malicious website can connect to...
How severe is CVE-2023-30856?
CVE-2023-30856 has been rated HIGH with a CVSS base score of 8.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-30856?
Check the references section above for vendor advisories and patch information. Affected products include: Edex-Ui Project Edex-Ui.