GHSA-ffq5-qpvf-xq7x

Details

Summary

The Command Sender UI uses an unsafe eval() function on array-like command parameters, which allows a user-supplied payload to execute in the browser when sending a command. This creates a self-XSS risk because an attacker can trigger their own script execution in the victim’s session, if allowed to influence the array parameter input, for example via phishing. If successful, an attacker may read or modify data in the authenticated browser context, including session tokens in local storage.

Details

The unsafe eval() usage on user-supplied ARRAY parameters happens in convertToValue method in CommandSender.vue

PoC

Using a drop-down form, choose any command that supports ARRAY parameters,
Inside square brackets “[…]” place a JavaScript code to be executed
Send command to CmdTlmServer using dedicated “Send” button
Observe JavaScript code being executed in the current browser session context

Below example uses INST ARYCMD to execute simple JavaScript code snippet alert(“XSS”). <img width="947" height="356" alt="image" src="https://github.com/user-attachments/assets/6fbdb6c9-616a-4268-bbb8-a8a1044437ad" />

Impact

Local JavaScript execution in the user's browser

Affected Packages

openc3

RubyGems

Fixed in:

7.0.0

References

PACKAGE

https://github.com/OpenC3/cosmos

WEB

https://github.com/OpenC3/cosmos/security/advisories/GHSA-ffq5-qpvf-xq7x

ADVISORY

https://github.com/advisories/GHSA-ffq5-qpvf-xq7x