GHSA-FFQ5-QPVF-XQ7X

Vulnerability from github – Published: 2026-04-22 22:22 – Updated: 2026-04-22 22:22
VLAI?
Summary
OpenC3 COSMOS is Vulnerable to Self-XSS Through the Command Sender
Details

Summary

The Command Sender UI uses an unsafe eval() function on array-like command parameters, which allows a user-supplied payload to execute in the browser when sending a command. This creates a self-XSS risk because an attacker can trigger their own script execution in the victim’s session, if allowed to influence the array parameter input, for example via phishing. If successful, an attacker may read or modify data in the authenticated browser context, including session tokens in local storage.

Details

The unsafe eval() usage on user-supplied ARRAY parameters happens in convertToValue method in CommandSender.vue

PoC

  1. Using a drop-down form, choose any command that supports ARRAY parameters,
  2. Inside square brackets “[…]” place a JavaScript code to be executed
  3. Send command to CmdTlmServer using dedicated “Send” button
  4. Observe JavaScript code being executed in the current browser session context

Below example uses INST ARYCMD to execute simple JavaScript code snippet alert(“XSS”). image

image

Impact

Local JavaScript execution in the user's browser

Severity ?
4.6 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "openc3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "7.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-22T22:22:28Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\nThe Command Sender UI uses an unsafe `eval()` function on array-like command parameters, which allows a user-supplied payload to execute in the browser when sending a command. This creates a self-XSS risk because an attacker can trigger their own script execution in the victim\u2019s session, if allowed to influence the array parameter input, for example via phishing. If successful, an attacker may read or modify data in the authenticated browser context, including session tokens in local storage.\n\n### Details\nThe unsafe `eval()`  usage on user-supplied ARRAY parameters happens in `convertToValue` method in [CommandSender.vue](https://github.com/OpenC3/cosmos/blob/main/openc3-cosmos-init/plugins/packages/openc3-cosmos-tool-cmdsender/src/tools/CommandSender/CommandSender.vue)\n\n### PoC\n1.\tUsing a drop-down form, choose any command that supports ARRAY parameters,\n2.\tInside square brackets \u201c[\u2026]\u201d place a JavaScript code to be executed\n3.\tSend command to CmdTlmServer using dedicated \u201cSend\u201d button \n4.\tObserve JavaScript code being executed in the current browser session context\n\nBelow example uses `INST ARYCMD` to execute simple JavaScript code snippet `alert(\u201cXSS\u201d)`.\n\u003cimg width=\"947\" height=\"356\" alt=\"image\" src=\"https://github.com/user-attachments/assets/6fbdb6c9-616a-4268-bbb8-a8a1044437ad\" /\u003e\n\n\u003cimg width=\"942\" height=\"545\" alt=\"image\" src=\"https://github.com/user-attachments/assets/4df24353-aea0-4aa0-adcf-b7c7e387dc83\" /\u003e\n\n### Impact\nLocal JavaScript execution in the user\u0027s browser",
  "id": "GHSA-ffq5-qpvf-xq7x",
  "modified": "2026-04-22T22:22:28Z",
  "published": "2026-04-22T22:22:28Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/OpenC3/cosmos/security/advisories/GHSA-ffq5-qpvf-xq7x"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/OpenC3/cosmos"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "OpenC3 COSMOS is Vulnerable to Self-XSS Through the Command Sender"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.