CVSS: 6.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-49296 – Arduino Create Agent vulnerable to Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2023-49296
The Arduino Create Agent allows users to use the Arduino Create applications to upload code to any USB connected Arduino board directly from the browser. A vulnerability in versions prior to 1.3.6 affects the endpoint `/certificate.crt` and the way the web interface of the ArduinoCreateAgent handles custom error messages. An attacker that is able to persuade a victim into clicking on a malicious link can perform a Reflected Cross-Site Scripting attack on the web interface of the create agent, which would allow the attacker to execute arbitrary browser client side code. Version 1.3.6 contains a fix for the issue. Arduino Create Agent permite a los usuarios utilizar las aplicaciones Arduino Create para cargar código a cualquier placa Arduino conectada por USB directamente desde el navegador. • https://github.com/arduino/arduino-create-agent/commit/9a0e582bb8a1ff8e70d202943ddef8625ccefcc8 https://github.com/arduino/arduino-create-agent/security/advisories/GHSA-j5hc-wx84-844h • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-43800 – Insufficient Verification of Data Authenticity in Arduino Create Agent
https://notcve.org/view.php?id=CVE-2023-43800
Arduino Create Agent is a package to help manage Arduino development. The vulnerability affects the endpoint `/v2/pkgs/tools/installed`. A user who has the ability to perform HTTP requests to the localhost interface, or is able to bypass the CORS configuration, can escalate his privileges to those of the user running the Arduino Create Agent service via a crafted HTTP POST request. This issue has been addressed in version `1.3.3`. Users are advised to upgrade. • https://github.com/arduino/arduino-create-agent/releases/tag/1.3.3 https://github.com/arduino/arduino-create-agent/security/advisories/GHSA-4x5q-q7wc-q22p https://www.nozominetworks.com/blog/security-flaws-affect-a-component-of-the-arduino-create-cloud-ide • CWE-345: Insufficient Verification of Data Authenticity •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-43801 – Path traversal in Arduino Create Agent
https://notcve.org/view.php?id=CVE-2023-43801
Arduino Create Agent is a package to help manage Arduino development. This vulnerability affects the endpoint `/v2/pkgs/tools/installed` and the way it handles plugin names supplied as user input. A user who has the ability to perform HTTP requests to the localhost interface, or is able to bypass the CORS configuration, can delete arbitrary files or folders belonging to the user that runs the Arduino Create Agent via a crafted HTTP DELETE request. This issue has been addressed in version `1.3.3`. Users are advised to upgrade. • https://github.com/arduino/arduino-create-agent/releases/tag/1.3.3 https://github.com/arduino/arduino-create-agent/security/advisories/GHSA-mjq6-pv9c-qppq https://www.nozominetworks.com/blog/security-flaws-affect-a-component-of-the-arduino-create-cloud-ide • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-43802 – Path traversal in Arduino Create Agent
https://notcve.org/view.php?id=CVE-2023-43802
Arduino Create Agent is a package to help manage Arduino development. This vulnerability affects the endpoint `/upload` which handles request with the `filename` parameter. A user who has the ability to perform HTTP requests to the localhost interface, or is able to bypass the CORS configuration, can escalate their privileges to those of the user running the Arduino Create Agent service via a crafted HTTP POST request. This issue has been addressed in version `1.3.3`. Users are advised to upgrade. • https://github.com/arduino/arduino-create-agent/releases/tag/1.3.3 https://github.com/arduino/arduino-create-agent/security/advisories/GHSA-75j7-w798-cwwx https://www.nozominetworks.com/blog/security-flaws-affect-a-component-of-the-arduino-create-cloud-ide • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-43803 – Path traversal in Arduino Create Agent
https://notcve.org/view.php?id=CVE-2023-43803
Arduino Create Agent is a package to help manage Arduino development. This vulnerability affects the endpoint `/v2/pkgs/tools/installed` and the way it handles plugin names supplied as user input. A user who has the ability to perform HTTP requests to the localhost interface, or is able to bypass the CORS configuration, can delete arbitrary files or folders belonging to the user that runs the Arduino Create Agent via a crafted HTTP POST request. This issue has been addressed in version `1.3.3`. Users are advised to upgrade. • https://github.com/arduino/arduino-create-agent/releases/tag/1.3.3 https://github.com/arduino/arduino-create-agent/security/advisories/GHSA-m5jc-r4gf-c6p8 https://lists.debian.org/debian-lts-announce/2023/11/msg00005.html https://www.nozominetworks.com/blog/security-flaws-affect-a-component-of-the-arduino-create-cloud-ide • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •