Skip to main content

Cosmos CVE-2024-47529

MEDIUM
Cleartext Storage of Sensitive Information (CWE-312)
2024-10-02 security-advisories@github.com
4.8
CVSS 4.0 · Vendor: github
Share

Severity by source

Vendor (github) PRIMARY
4.8 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (github) · only source for this CVE.

CVSS VectorVendor: github

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
CVE Published
Oct 02, 2024 - 20:15 cve.org
MEDIUM 4.8

DescriptionCVE.org

OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. OpenC3 COSMOS stores the password of a user unencrypted in the LocalStorage of a web browser. This makes the user password susceptible to exfiltration via Cross-site scripting (see GHSL-2024-128). This vulnerability is fixed in 5.19.0. This only affects Open Source edition, and not OpenC3 COSMOS Enterprise Edition.

AnalysisAI

OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. Rated medium severity (CVSS 4.8), this vulnerability is low attack complexity. Public exploit code available.

Technical ContextAI

This vulnerability is classified under CWE-312. OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. OpenC3 COSMOS stores the password of a user unencrypted in the LocalStorage of a web browser. This makes the user password susceptible to exfiltration via Cross-site scripting (see GHSL-2024-128). This vulnerability is fixed in 5.19.0. This only affects Open Source edition, and not OpenC3 COSMOS Enterprise Edition. Affected products include: Openc3 Cosmos.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

More in Cosmos

View all
CVE-2025-28386 CRITICAL POC
9.8 Jun 13

Critical remote code execution vulnerability in OpenC3 COSMOS v6.0.0's Plugin Management component that allows unauthent

CVE-2025-28388 CRITICAL POC
9.8 Jun 13

OpenC3 COSMOS versions before v6.0.2 contain hardcoded credentials embedded in the Service Account, allowing unauthentic

CVE-2025-28389 CRITICAL POC
9.8 Jun 13

Critical authentication bypass vulnerability in OpenC3 COSMOS v6.0.0 caused by weak password requirements that enable br

CVE-2025-28384 CRITICAL POC
9.1 Jun 13

Critical directory traversal vulnerability in OpenC3 COSMOS versions before 6.1.0 affecting the /script-api/scripts/ end

CVE-2025-28382 HIGH POC
7.5 Jun 13

Directory traversal vulnerability in OpenC3 COSMOS versions before 6.1.0 that allows unauthenticated remote attackers to

CVE-2025-28381 HIGH POC
7.5 Jun 13

A security vulnerability in OpenC3 COSMOS (CVSS 7.5) that allows attackers. Risk factors: public PoC available.

CVE-2025-28380 MEDIUM POC
6.1 Jun 13

A cross-site scripting (XSS) vulnerability in OpenC3 COSMOS before v6.0.2 allows attackers to execute arbitrary web scri

CVE-2026-42087 CRITICAL
9.6 May 04

SQL injection in OpenC3 COSMOS 6.7.0 to 7.0.0-rc2 allows authenticated users with minimal 'tlm' (telemetry viewer) privi

CVE-2026-42084 HIGH
8.1 May 04

OpenC3 COSMOS password change functionality accepts valid session tokens in lieu of current passwords, enabling attacker

CVE-2024-46977 MEDIUM
5.3 Oct 02

OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems.

CVE-2024-43795 MEDIUM
5.1 Oct 02

OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems.

CVE-2026-42086 MEDIUM
4.6 May 04

Self-XSS in OpenC3 COSMOS Command Sender UI prior to version 7.0.0 allows authenticated users to execute arbitrary JavaS

Share

CVE-2024-47529 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy