Arbitrary JavaScript Execution via HTML File Upload in Yamcs 5.8.6

Arbitrary JavaScript Execution via HTML File Upload in Yamcs 5.8.6

CVE-2023-45280 · MEDIUM Severity

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Yamcs 5.8.6 allows XSS (issue 2 of 2). It comes with a Bucket as its primary storage mechanism. Buckets allow for the upload of any file. There's a way to upload an HTML file containing arbitrary JavaScript and then navigate to it. Once the user opens the file, the browser will execute the arbitrary JavaScript.

Learn more about our User Device Pen Test.