Cosmos
Monthly
Critical authentication bypass vulnerability in OpenC3 COSMOS v6.0.0 caused by weak password requirements that enable brute force attacks. An unauthenticated remote attacker can exploit this with no user interaction to gain full control over the affected system, including confidentiality, integrity, and availability compromise. The CVSS 9.8 severity and network-based attack vector indicate this poses significant risk to any organization running the vulnerable version without additional protective controls.
OpenC3 COSMOS versions before v6.0.2 contain hardcoded credentials embedded in the Service Account, allowing unauthenticated remote attackers to gain complete system compromise without any user interaction. This critical vulnerability has a CVSS score of 9.8 (critical severity) with a network attack vector, and given the nature of hardcoded credentials in a mission-critical space operations software, real-world exploitation risk is extremely high for organizations still running vulnerable versions.
Critical remote code execution vulnerability in OpenC3 COSMOS v6.0.0's Plugin Management component that allows unauthenticated attackers to execute arbitrary code by uploading a specially crafted .txt file. The vulnerability has a CVSS score of 9.8 (critical severity) with no authentication or user interaction required, making it trivially exploitable over the network. Given the high CVSS score and attack surface (public-facing plugin management interfaces), this vulnerability poses an immediate threat to all deployed instances of the affected version.
Critical directory traversal vulnerability in OpenC3 COSMOS versions before 6.1.0 affecting the /script-api/scripts/ endpoint. An unauthenticated attacker can exploit this flaw over the network with no user interaction required to read and potentially write arbitrary files on the affected system, achieving high confidentiality and integrity impact. The vulnerability has a CVSS score of 9.1 (Critical) with an CVSS vector indicating network-based attack, low complexity, and no privilege requirements.
Directory traversal vulnerability in OpenC3 COSMOS versions before 6.1.0 that allows unauthenticated remote attackers to read arbitrary files from the server via the openc3-api/tables endpoint. This high-severity issue (CVSS 7.5) enables confidentiality breaches without requiring authentication or user interaction, potentially exposing sensitive configuration files, credentials, and operational data managed by the COSMOS command and control system.
A security vulnerability in OpenC3 COSMOS (CVSS 7.5) that allows attackers. Risk factors: public PoC available.
A cross-site scripting (XSS) vulnerability in OpenC3 COSMOS before v6.0.2 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the URL parameter.
Critical authentication bypass vulnerability in OpenC3 COSMOS v6.0.0 caused by weak password requirements that enable brute force attacks. An unauthenticated remote attacker can exploit this with no user interaction to gain full control over the affected system, including confidentiality, integrity, and availability compromise. The CVSS 9.8 severity and network-based attack vector indicate this poses significant risk to any organization running the vulnerable version without additional protective controls.
OpenC3 COSMOS versions before v6.0.2 contain hardcoded credentials embedded in the Service Account, allowing unauthenticated remote attackers to gain complete system compromise without any user interaction. This critical vulnerability has a CVSS score of 9.8 (critical severity) with a network attack vector, and given the nature of hardcoded credentials in a mission-critical space operations software, real-world exploitation risk is extremely high for organizations still running vulnerable versions.
Critical remote code execution vulnerability in OpenC3 COSMOS v6.0.0's Plugin Management component that allows unauthenticated attackers to execute arbitrary code by uploading a specially crafted .txt file. The vulnerability has a CVSS score of 9.8 (critical severity) with no authentication or user interaction required, making it trivially exploitable over the network. Given the high CVSS score and attack surface (public-facing plugin management interfaces), this vulnerability poses an immediate threat to all deployed instances of the affected version.
Critical directory traversal vulnerability in OpenC3 COSMOS versions before 6.1.0 affecting the /script-api/scripts/ endpoint. An unauthenticated attacker can exploit this flaw over the network with no user interaction required to read and potentially write arbitrary files on the affected system, achieving high confidentiality and integrity impact. The vulnerability has a CVSS score of 9.1 (Critical) with an CVSS vector indicating network-based attack, low complexity, and no privilege requirements.
Directory traversal vulnerability in OpenC3 COSMOS versions before 6.1.0 that allows unauthenticated remote attackers to read arbitrary files from the server via the openc3-api/tables endpoint. This high-severity issue (CVSS 7.5) enables confidentiality breaches without requiring authentication or user interaction, potentially exposing sensitive configuration files, credentials, and operational data managed by the COSMOS command and control system.
A security vulnerability in OpenC3 COSMOS (CVSS 7.5) that allows attackers. Risk factors: public PoC available.
A cross-site scripting (XSS) vulnerability in OpenC3 COSMOS before v6.0.2 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the URL parameter.