openc3 5.7.2

3 security vulnerabilities found in version 5.7.2

OpenC3 stores passwords in clear text (GHSL-2024-129)

medium severity CVE-2024-47529
medium severity CVE-2024-47529
Patched versions: >= 5.19.0

Summary

OpenC3 COSMOS stores the password of a user unencrypted in the LocalStorage of a web browser. This makes the user password susceptible to exfiltration via Cross-site scripting (see GHSL-2024-128).

Note: This CVE only affects Open Source edition, and not OpenC3 COSMOS Enterprise Edition

Impact

This issue may lead to Information Disclosure.

NOTE: The complete advisory with much more information is added as comment.

OpenC3 Path Traversal via screen controller (GHSL-2024-127)

medium severity CVE-2024-46977
medium severity CVE-2024-46977
Patched versions: >= 5.19.0

Summary

A path traversal vulnerability inside of LocalMode's open_local_file method allows an authenticated user with adequate permissions to download any .txt via the ScreensController#show on the web server COSMOS is running on (depending on the file permissions).

Note: This CVE affects all OpenC3 COSMOS Editions

Impact

This issue may lead to Information Disclosure.

NOTE: The complete advisory with much more information is added as comment.

OpenC3 Cross-site Scripting in Login functionality (GHSL-2024-128)

medium severity CVE-2024-43795
medium severity CVE-2024-43795
Patched versions: >= 5.19.0

Summary

The login functionality contains a reflected cross-site scripting (XSS) vulnerability.

Note: This CVE only affects Open Source Edition, and not OpenC3 COSMOS Enterprise Edition

Impact

This issue may lead up to Remote Code Execution (RCE).

NOTE: The complete advisory with much more information is added as comment.

No officially reported memory leakage issues detected.


This gem version does not have any officially reported memory leaked issues.

No license issues detected.


This gem version has a license in the gemspec.

This gem version is available.


This gem version has not been yanked and is still available for usage.