GHSA SYNC: 2 brand new advisories (#878)

jasnow · postmodern · web-flow · commit bc76a8567233 · 2025-06-17T10:38:13.000-07:00
---------

Co-authored-by: Postmodern &lt;postmodern.mod3@gmail.com&gt;
diff --git a/gems/openc3-cosmos-tool-iframe/CVE-2025-28382.yml b/gems/openc3-cosmos-tool-iframe/CVE-2025-28382.yml
@@ -0,0 +1,21 @@
+---
+gem: openc3-cosmos-tool-iframe
+cve: 2025-28382
+ghsa: cf8v-5mrc-jv7f
+url: https://github.com/advisories/GHSA-cf8v-5mrc-jv7f
+title: OpenC3 COSMOS Vulnerable to Directory Traversal via
+  openc3-api/tables endpoint
+date: 2025-06-13
+description: |
+  An issue in the openc3-api/tables endpoint of OpenC3 COSMOS
+  6.0.0 allows attackers to execute a directory traversal.
+cvss_v3: 7.5
+unaffected_versions:
+  - "< 6.0.0"
+notes: Never patched
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2025-28382
+    - https://visionspace.com/openc3-cosmos-a-security-assessment-of-an-open-source-mission-framework
+    - https://openc3.com
+    - https://github.com/advisories/GHSA-cf8v-5mrc-jv7f
diff --git a/gems/openc3-cosmos-tool-iframe/CVE-2025-28384.yml b/gems/openc3-cosmos-tool-iframe/CVE-2025-28384.yml
@@ -0,0 +1,21 @@
+---
+gem: openc3-cosmos-tool-iframe
+cve: 2025-28384
+ghsa: p67j-387g-75wc
+url: https://github.com/advisories/GHSA-p67j-387g-75wc
+title: OpenC3 COSMOS Vulnerable to Directory Traversal via
+  /script-api/scripts/ endpoint
+date: 2025-06-13
+description: |
+  An issue in the /script-api/scripts/ endpoint of OpenC3 COSMOS
+  6.0.0 allows attackers to execute a directory traversal.
+cvss_v3: 9.1
+unaffected_versions:
+  - "< 6.0.0"
+notes: Never patched
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2025-28384
+    - https://visionspace.com/openc3-cosmos-a-security-assessment-of-an-open-source-mission-framework
+    - https://openc3.com
+    - https://github.com/advisories/GHSA-p67j-387g-75wc
