CVE-2023-30856

CVSS V2 None CVSS V3 None

Description

eDEX-UI is a science fiction terminal emulator. Versions 2.2.8 and prior are vulnerable to cross-site websocket hijacking. When running eDEX-UI and browsing the web, a malicious website can connect to eDEX's internal terminal control websocket, and send arbitrary commands to the shell. The project has been archived since 2021, and as of time of publication there are no plans to patch this issue and release a new version. Some workarounds are available, including shutting down eDEX-UI when browsing the web and ensuring the eDEX terminal runs with lowest possible privileges.

Overview

CVE ID
CVE-2023-30856

Assigner
security-advisories@github.com

Vulnerability Status
Received

Published Version
2023-04-28T16:15:10

Last Modified Date
2023-04-28T16:15:10

Weakness Enumerations

CWE	URL
CWE-1385	http://cwe.mitre.org/data/definitions/1385.html

References

Reference URL	Reference Tags
https://christian-schneider.net/CrossSiteWebSocketHijacking.html
https://github.com/GitSquared/edex-ui/blob/04a00c4079908788b371c6ecdefff96d0d9950f8/src/classes/terminal.class.js#L458
https://github.com/GitSquared/edex-ui/security/advisories/GHSA-q8xc-f2wf-ffh9

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2023-30856
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30856

History

Created	Old Value	New Value	Data Type	Notes
2023-04-28 17:01:12				Added to TrackCVE
2023-04-28 17:01:15			Weakness Enumeration	new