Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-49296: Reflected Cross-Site Scripting

The Arduino Create Agent allows users to use the Arduino Create applications to upload code to any USB connected Arduino board directly from the browser. A vulnerability in versions prior to 1.3.6 affects the endpoint /certificate.crt and the way the web interface of the ArduinoCreateAgent handles custom error messages. An attacker that is able to persuade a victim into clicking on a malicious link can perform a Reflected Cross-Site Scripting attack on the web interface of the create agent, which would allow the attacker to execute arbitrary browser client side code. Version 1.3.6 contains a fix for the issue.

CVE
Open in Source
#xss#vulnerability#web

Moderate

rhaidiz published GHSA-j5hc-wx84-844h

Dec 13, 2023

Package

gomod ArduinoCreateAgent (Go)

Description

Impact

The vulnerability affects the endpoint /certificate.crt and the way the web interface of the ArduinoCreateAgent handles custom error messages. An attacker that is able to persuade a victim into clicking on a malicious link can perform a Reflected Cross-Site Scripting attack on the web interface of the create agent, which would allow the attacker to execute arbitrary browser client side code.

Fixed Version

  • 1.3.6

Severity

CVSS base metrics

User interaction

Required

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

Weaknesses

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE