OpenC3 COSMOS Command Sender Self-XSS Vulnerability

A self-cross-site scripting vulnerability has been identified in OpenC3 COSMOS versions prior to 7.0.0. The issue arises in the Command Sender UI, where an unsafe eval() function is applied to array-like command parameters. This flaw allows a user-supplied payload to execute in the browser when a command is sent. An attacker could exploit this by influencing the array parameter input, potentially through phishing, to execute scripts in the context of the victim's session. Successful exploitation could enable the attacker to read or modify data in the authenticated browser context, including session tokens stored in local storage.

Impact

Exploitation of this vulnerability allows for local execution of JavaScript in the user's browser, creating a self-XSS risk where an attacker can execute scripts in the context of the victim's session.

Reproduction

To reproduce this vulnerability, use a drop-down form to select a command that accepts ARRAY parameters. Insert a JavaScript code snippet into the array parameter, then send the command to the CmdTlmServer. The injected script will be executed in the browser session.

Remediation

Users are advised to update to OpenC3 COSMOS version 7.0.0 or later.