Moderate severityNVD Advisory· Published Oct 2, 2024· Updated Oct 31, 2024
OpenC3 COSMOS vulnerable to cross-site scripting in Login functionality (`GHSL-2024-128`)
CVE-2024-43795
Description
OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. The login functionality contains a reflected cross-site scripting (XSS) vulnerability. This vulnerability is fixed in 5.19.0. Note: This CVE only affects Open Source Edition, and not OpenC3 COSMOS Enterprise Edition.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
openc3RubyGems | < 5.19.0 | 5.19.0 |
@openc3/tool-commonnpm | < 5.19.0 | 5.19.0 |
openc3PyPI | < 5.19.0 | 5.19.0 |
Affected products
1Patches
12 files changed · +12 −2
openc3-cosmos-init/plugins/openc3-tool-base/public/js/auth.js+6 −1 modified@@ -35,9 +35,14 @@ class Auth { delete localStorage.openc3Token } login(redirect) { + let url = new URL(redirect) + let result = url.pathname + if (url.search) { + result = result + url.search + } // redirect to login if we're not already there if (!/^\/login/.test(location.pathname)) - location = `/login?redirect=${encodeURI(redirect)}` + location = `/login?redirect=${encodeURI(result)}` } logout() { this.clearTokens()
openc3-cosmos-init/plugins/packages/openc3-tool-common/src/tools/base/components/Login.vue+6 −1 modified@@ -145,7 +145,12 @@ export default { const redirect = new URLSearchParams(window.location.search).get( 'redirect', ) - window.location = decodeURI(redirect || '/') + if (redirect[0] === '/' && redirect[1] !== '/') { + // Valid relative redirect URL + window.location = decodeURI(redirect) + } else { + window.location = '/' + } }, verifyPassword: function () { this.showAlert = false
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-vfj8-5pj7-2f9gghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-43795ghsaADVISORY
- securitylab.github.com/advisories/GHSL-2024-127_GHSL-2024-129_OpenC3_COSMOSghsax_refsource_MISCADVISORY
- github.com/OpenC3/cosmos/commit/762d7e0e93bdc2f340b1e42acccedc78994a576eghsax_refsource_MISCWEB
- github.com/OpenC3/cosmos/security/advisories/GHSA-vfj8-5pj7-2f9gghsax_refsource_CONFIRMWEB
- github.com/pypa/advisory-database/tree/main/vulns/openc3/PYSEC-2024-100.yamlghsaWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/openc3/CVE-2024-43795.ymlghsaWEB
News mentions
0No linked articles in our index yet.