CVE-2023-49296
CVSS V2 None
CVSS V3 None
Description
The Arduino Create Agent allows users to use the Arduino Create applications to upload code to any USB connected Arduino board directly from the browser. A vulnerability in versions prior to 1.3.6 affects the endpoint `/certificate.crt` and the way the web interface of the ArduinoCreateAgent handles custom error messages. An attacker that is able to persuade a victim into clicking on a malicious link can perform a Reflected Cross-Site Scripting attack on the web interface of the create agent, which would allow the attacker to execute arbitrary browser client side code. Version 1.3.6 contains a fix for the issue.
Overview
- CVE ID
- CVE-2023-49296
- Assigner
- GitHub_M
- Vulnerability Status
- PUBLISHED
- Published Version
- 2023-12-13T19:54:34.638Z
- Last Modified Date
- 2023-12-13T19:54:34.638Z
Weakness Enumerations
References
| Reference URL | Reference Tags |
|---|---|
| https://github.com/arduino/arduino-create-agent/security/advisories/GHSA-j5hc-wx84-844h | x_refsource_CONFIRM |
| https://github.com/arduino/arduino-create-agent/commit/9a0e582bb8a1ff8e70d202943ddef8625ccefcc8 | x_refsource_MISC |
Sources
| Source Name | Source URL |
|---|---|
| NIST | https://nvd.nist.gov/vuln/detail/CVE-2023-49296 |
| MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-49296 |
History
| Created | Old Value | New Value | Data Type | Notes |
|---|---|---|---|---|
| 2024-06-25 12:51:06 | Added to TrackCVE |