CVE-2023-49296

Arduino Create Agent vulnerable to Reflected Cross-Site Scripting

Severity Score

6.1

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The Arduino Create Agent allows users to use the Arduino Create applications to upload code to any USB connected Arduino board directly from the browser. A vulnerability in versions prior to 1.3.6 affects the endpoint `/certificate.crt` and the way the web interface of the ArduinoCreateAgent handles custom error messages. An attacker that is able to persuade a victim into clicking on a malicious link can perform a Reflected Cross-Site Scripting attack on the web interface of the create agent, which would allow the attacker to execute arbitrary browser client side code. Version 1.3.6 contains a fix for the issue.

Arduino Create Agent permite a los usuarios utilizar las aplicaciones Arduino Create para cargar código a cualquier placa Arduino conectada por USB directamente desde el navegador. Una vulnerabilidad en versiones anteriores a la 1.3.6 afecta el endpoint `/certificate.crt` y la forma en que la interfaz web de ArduinoCreateAgent maneja los mensajes de error personalizados. Un atacante que sea capaz de persuadir a una víctima para que haga clic en un enlace malicioso puede realizar un ataque de Cross-Site Scripting Reflejadas en la interfaz web del agente de creación, lo que permitiría al atacante ejecutar código arbitrario del lado del cliente del navegador. La versión 1.3.6 contiene una solución para el problema.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2023-11-24 CVE Reserved
2023-12-13 CVE Published
2024-08-02 CVE Updated
2024-11-12 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CAPEC

References (2)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC
https://github.com/arduino/arduino-create-agent/commit/9a0e582bb8a1ff8e70d202943ddef8625ccefcc8	2023-12-19

URL	Date	SRC
https://github.com/arduino/arduino-create-agent/security/advisories/GHSA-j5hc-wx84-844h	2023-12-19

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Arduino Search vendor "Arduino"		Create Agent Search vendor "Arduino" for product "Create Agent"				< 1.3.6 Search vendor "Arduino" for product "Create Agent" and version " < 1.3.6"		go		Affected