CVE-2023-45279 — MEDIUM (5.4)

Vulnerability Description

Yamcs 5.8.6 allows XSS (issue 1 of 2). It comes with a Bucket as its primary storage mechanism. Buckets allow for the upload of any file. There's a way to upload a display referencing a malicious JavaScript file to the bucket. The user can then open the uploaded display by selecting Telemetry from the menu and navigating to the display.

CVSS Score

5.4

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality

LOW

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Spaceapplications	Yamcs	5.8.6

Related Weaknesses (CWE)

CWE-79

References

https://github.com/yamcs/yamcs/compare/yamcs-5.8.6...yamcs-5.8.7Patch
https://www.linkedin.com/pulse/yamcs-vulnerability-assessment-visionspace-technoExploitThird Party Advisory
https://github.com/yamcs/yamcs/compare/yamcs-5.8.6...yamcs-5.8.7Patch
https://www.linkedin.com/pulse/yamcs-vulnerability-assessment-visionspace-technoExploitThird Party Advisory

FAQ

What is CVE-2023-45279?

CVE-2023-45279 is a vulnerability with a CVSS score of 5.4 (MEDIUM). Yamcs 5.8.6 allows XSS (issue 1 of 2). It comes with a Bucket as its primary storage mechanism. Buckets allow for the upload of any file. There's a way to upload a display referencing a malicious Java...

How severe is CVE-2023-45279?

CVE-2023-45279 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2023-45279?

Check the references section above for vendor advisories and patch information. Affected products include: Spaceapplications Yamcs.