OpenC3 COSMOS Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability exists in OpenC3 COSMOS version 6.0.0. This vulnerability allows attackers to execute arbitrary web scripts or HTML by injecting a crafted payload into the URL parameter. The issue arises because the application’s Content Security Policy (CSP) permits unsafe inline and eval execution, enabling the execution of injected JavaScript code. Exploitation can be achieved by manipulating the Documentation tool or the Telemetry Viewer tool to execute scripts that exfiltrate session tokens or execute commands on the host system.

Impact

Exploitation of this vulnerability allows for cross-site scripting, with the potential to execute scripts that could be used to exfiltrate sensitive information or perform actions on behalf of the user.

Reproduction

The vulnerability can be reproduced by injecting JavaScript into the URL parameter of the Documentation tool or the Telemetry Viewer tool. In the Documentation tool, the injected script can access the session token from Local Storage and use it to execute commands via the Script Runner tool, resulting in a reverse shell. In the Telemetry Viewer tool, the injected script can be saved and executed by other users, potentially leading to similar outcomes.

Remediation

It is recommended to remove the iframe component from the Documentation tool or hard-code the parameters to prevent user-controlled input. Additionally, the Content Security Policy should be updated to disallow unsafe-eval and unsafe-inline execution.