Skip to content
This repository has been archived by the owner on Oct 22, 2021. It is now read-only.

Cross-site websocket hijacking enables remote command execution (RCE)

High
GitSquared published GHSA-q8xc-f2wf-ffh9 Apr 28, 2023

Package

edex-ui

Affected versions

<= v2.2.8

Patched versions

None

Description

Impact

When running eDEX-UI and browsing the web, a malicious website can connect to eDEX's internal terminal control websocket, and send arbitrary commands to the shell.

Patches

The project has been archived for 2+ years, and at the moment there are no plans to patch this issue and release a new version.

Workarounds

  • Shutting down eDEX-UI when browsing the web
  • Ensuring the eDEX terminal runs with lowest possible privileges helps mitigating potential risks

References

More context about the root cause of this issue can be found here:
https://christian-schneider.net/CrossSiteWebSocketHijacking.html

The vulnerable code can be examined here:

this.wss.on("connection", ws => {

Severity

High
8.3
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

CVE ID

CVE-2023-30856

Weaknesses

Credits