Skip to main content

Cosmos CVE-2024-43795

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2024-10-02 security-advisories@github.com
5.1
CVSS 4.0 · Vendor: github
Share

Severity by source

Vendor (github) PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (github) · only source for this CVE.

CVSS VectorVendor: github

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

1
CVE Published
Oct 02, 2024 - 20:15 cve.org
MEDIUM 5.1

DescriptionCVE.org

OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. The login functionality contains a reflected cross-site scripting (XSS) vulnerability. This vulnerability is fixed in 5.19.0. Note: This CVE only affects Open Source Edition, and not OpenC3 COSMOS Enterprise Edition.

AnalysisAI

OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. The login functionality contains a reflected cross-site scripting (XSS) vulnerability. This vulnerability is fixed in 5.19.0. Note: This CVE only affects Open Source Edition, and not OpenC3 COSMOS Enterprise Edition. Affected products include: Openc3 Cosmos.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

More in Cosmos

View all
CVE-2025-28386 CRITICAL POC
9.8 Jun 13

Critical remote code execution vulnerability in OpenC3 COSMOS v6.0.0's Plugin Management component that allows unauthent

CVE-2025-28388 CRITICAL POC
9.8 Jun 13

OpenC3 COSMOS versions before v6.0.2 contain hardcoded credentials embedded in the Service Account, allowing unauthentic

CVE-2025-28389 CRITICAL POC
9.8 Jun 13

Critical authentication bypass vulnerability in OpenC3 COSMOS v6.0.0 caused by weak password requirements that enable br

CVE-2025-28384 CRITICAL POC
9.1 Jun 13

Critical directory traversal vulnerability in OpenC3 COSMOS versions before 6.1.0 affecting the /script-api/scripts/ end

CVE-2025-28382 HIGH POC
7.5 Jun 13

Directory traversal vulnerability in OpenC3 COSMOS versions before 6.1.0 that allows unauthenticated remote attackers to

CVE-2025-28381 HIGH POC
7.5 Jun 13

A security vulnerability in OpenC3 COSMOS (CVSS 7.5) that allows attackers. Risk factors: public PoC available.

CVE-2025-28380 MEDIUM POC
6.1 Jun 13

A cross-site scripting (XSS) vulnerability in OpenC3 COSMOS before v6.0.2 allows attackers to execute arbitrary web scri

CVE-2026-42087 CRITICAL
9.6 May 04

SQL injection in OpenC3 COSMOS 6.7.0 to 7.0.0-rc2 allows authenticated users with minimal 'tlm' (telemetry viewer) privi

CVE-2024-47529 MEDIUM POC
4.8 Oct 02

OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems.

CVE-2026-42084 HIGH
8.1 May 04

OpenC3 COSMOS password change functionality accepts valid session tokens in lieu of current passwords, enabling attacker

CVE-2024-46977 MEDIUM
5.3 Oct 02

OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems.

CVE-2026-42086 MEDIUM
4.6 May 04

Self-XSS in OpenC3 COSMOS Command Sender UI prior to version 7.0.0 allows authenticated users to execute arbitrary JavaS

Share

CVE-2024-43795 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy