CVE-2024-47529 MEDIUM

CVE-2024-47529: OpenC3 COSMOS uses clear text storage of password/token (`GHSL-2024-129`)

Vendor Openc3
Product cosmos
Weakness CWE-312 · Cleartext storage
Published October 2, 2024
Last update October 31, 2024

CVSS base score

4.8/10
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. OpenC3 COSMOS stores the password of a user unencrypted in the LocalStorage of a web browser. This makes the user password susceptible to exfiltration via Cross-site scripting (see GHSL-2024-128). This vulnerability is fixed in 5.19.0. This only affects Open Source edition, and not OpenC3 COSMOS Enterprise Edition.

Key dates

02Disclosure timeline

October 2, 2024 CVE published
October 31, 2024 Record updated