Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit 71d90d7290de · 2026-04-22T22:24:11.000Z
GHSA-4jvx-93h3-f45h GHSA-ffq5-qpvf-xq7x
diff --git a/advisories/github-reviewed/2026/04/GHSA-4jvx-93h3-f45h/GHSA-4jvx-93h3-f45h.json b/advisories/github-reviewed/2026/04/GHSA-4jvx-93h3-f45h/GHSA-4jvx-93h3-f45h.json
@@ -0,0 +1,90 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-4jvx-93h3-f45h",
+  "modified": "2026-04-22T22:22:03Z",
+  "published": "2026-04-22T22:22:02Z",
+  "aliases": [],
+  "summary": "OpenC3 COSMOS allows arbitrary writes to plugins directory via path-traversed config filenames",
+  "details": "### Summary\nOpenC3 COSMOS contains a design flaw in the `save_tool_config()` function that allows saving tool configuration files at arbitrary locations inside the shared `/plugins` directory tree by supplying crafted configuration filenames. Although the implementation sufficiently mitigates standard path traversal attacks, by canonicalizing filename to an absolute path, all plugins share this same root directory. That enables users to create arbitrary file structures and overwrite existing configuration files within the shared `/plugins` directory.\n\n### Details\nIn function `save_tool_config()` ([local_mode.rb](https://github.com/OpenC3/cosmos/blob/397abec0d57972881a2e8dc10902d0dce9c27f42/openc3/lib/openc3/utilities/local_mode.rb#L452))  responsible for saving user-supplied tool configuration, the desired saving directory is not sufficiently enforced, instead allowing writes inside entire `OPENC3_LOCAL_MODE_PATH`.\n\n### PoC\n1.\tNavigate to any tool that enables “Save Configuration” option in left-hand drop-down menu (here Limits Monitor as an example)\n2.\tSave a new config with path traversal name using “../” sequences to escape desired directory (up to 3 levels high)\n3.\tObserve new files created in /plugins directory by inspecting docker container directly (`openc3-COSMOS-cmd-tlm-api`) or using Bucket Explorer (`plugin_default`)\n\n<img width=\"811\" height=\"584\" alt=\"image\" src=\"https://github.com/user-attachments/assets/015a59b4-8b18-4801-aef0-df4831d5c1c3\" />\n<img width=\"720\" height=\"664\" alt=\"image\" src=\"https://github.com/user-attachments/assets/8ca4a5b7-ee45-4c3b-99f6-f41f974a74a7\" />\n\n### Impact\nModifying the data of other plugins",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "RubyGems",
+        "name": "openc3"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "6.10.5"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "RubyGems",
+        "name": "openc3"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "7.0.0.pre.rc1"
+            },
+            {
+              "fixed": "7.0.0-rc3"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/OpenC3/cosmos/security/advisories/GHSA-4jvx-93h3-f45h"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/OpenC3/cosmos/commit/9957a9fa460c0c0cf5cdbf6a5931bbdd025246a5"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/OpenC3/cosmos/commit/e6efccbd148ba0e3361c5891027f2373aa140d42"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/OpenC3/cosmos"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/OpenC3/cosmos/releases/tag/v6.10.5"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/OpenC3/cosmos/releases/tag/v7.0.0-rc3"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-23"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-22T22:22:02Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/04/GHSA-ffq5-qpvf-xq7x/GHSA-ffq5-qpvf-xq7x.json b/advisories/github-reviewed/2026/04/GHSA-ffq5-qpvf-xq7x/GHSA-ffq5-qpvf-xq7x.json
@@ -0,0 +1,55 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-ffq5-qpvf-xq7x",
+  "modified": "2026-04-22T22:22:28Z",
+  "published": "2026-04-22T22:22:28Z",
+  "aliases": [],
+  "summary": "OpenC3 COSMOS is Vulnerable to Self-XSS Through the Command Sender",
+  "details": "### Summary\nThe Command Sender UI uses an unsafe `eval()` function on array-like command parameters, which allows a user-supplied payload to execute in the browser when sending a command. This creates a self-XSS risk because an attacker can trigger their own script execution in the victim’s session, if allowed to influence the array parameter input, for example via phishing. If successful, an attacker may read or modify data in the authenticated browser context, including session tokens in local storage.\n\n### Details\nThe unsafe `eval()`  usage on user-supplied ARRAY parameters happens in `convertToValue` method in [CommandSender.vue](https://github.com/OpenC3/cosmos/blob/main/openc3-cosmos-init/plugins/packages/openc3-cosmos-tool-cmdsender/src/tools/CommandSender/CommandSender.vue)\n\n### PoC\n1.\tUsing a drop-down form, choose any command that supports ARRAY parameters,\n2.\tInside square brackets “[…]” place a JavaScript code to be executed\n3.\tSend command to CmdTlmServer using dedicated “Send” button \n4.\tObserve JavaScript code being executed in the current browser session context\n\nBelow example uses `INST ARYCMD` to execute simple JavaScript code snippet `alert(“XSS”)`.\n<img width=\"947\" height=\"356\" alt=\"image\" src=\"https://github.com/user-attachments/assets/6fbdb6c9-616a-4268-bbb8-a8a1044437ad\" />\n\n<img width=\"942\" height=\"545\" alt=\"image\" src=\"https://github.com/user-attachments/assets/4df24353-aea0-4aa0-adcf-b7c7e387dc83\" />\n\n### Impact\nLocal JavaScript execution in the user's browser",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "RubyGems",
+        "name": "openc3"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "7.0.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/OpenC3/cosmos/security/advisories/GHSA-ffq5-qpvf-xq7x"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/OpenC3/cosmos"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-22T22:22:28Z",
+    "nvd_published_at": null
+  }
+}
