Vulnerability Description
The Arduino Create Agent allows users to use the Arduino Create applications to upload code to any USB connected Arduino board directly from the browser. A vulnerability in versions prior to 1.3.6 affects the endpoint `/certificate.crt` and the way the web interface of the ArduinoCreateAgent handles custom error messages. An attacker that is able to persuade a victim into clicking on a malicious link can perform a Reflected Cross-Site Scripting attack on the web interface of the create agent, which would allow the attacker to execute arbitrary browser client side code. Version 1.3.6 contains a fix for the issue.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Arduino | Create Agent | < 1.3.6 |
Related Weaknesses (CWE)
References
- https://github.com/arduino/arduino-create-agent/commit/9a0e582bb8a1ff8e70d202943Patch
- https://github.com/arduino/arduino-create-agent/security/advisories/GHSA-j5hc-wxVendor Advisory
- https://github.com/arduino/arduino-create-agent/commit/9a0e582bb8a1ff8e70d202943Patch
- https://github.com/arduino/arduino-create-agent/security/advisories/GHSA-j5hc-wxVendor Advisory
FAQ
What is CVE-2023-49296?
CVE-2023-49296 is a vulnerability with a CVSS score of 6.3 (MEDIUM). The Arduino Create Agent allows users to use the Arduino Create applications to upload code to any USB connected Arduino board directly from the browser. A vulnerability in versions prior to 1.3.6 aff...
How severe is CVE-2023-49296?
CVE-2023-49296 has been rated MEDIUM with a CVSS base score of 6.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-49296?
Check the references section above for vendor advisories and patch information. Affected products include: Arduino Create Agent.