CVE-2023-49296

Name of the Vulnerable Software and Affected Versions Arduino Create Agent versions prior to 1.3.6

Description A vulnerability affects the endpoint "/certificate.crt" and the way the web interface of the ArduinoCreateAgent handles custom error messages. An attacker can perform a Reflected Cross-Site Scripting attack on the web interface of the create agent by persuading a victim into clicking on a malicious link, allowing the attacker to execute arbitrary browser client-side code.

Recommendations For versions prior to 1.3.6, update to version 1.3.6 to resolve the issue. As a temporary workaround, consider restricting access to the "/certificate.crt" endpoint until a patch is available. Avoid using custom error messages in the web interface of the ArduinoCreateAgent until the issue is resolved.