Ctrlsill

**Name of the Vulnerable Software and Affected Versions** OpenC3 COSMOS versions prior to 6.10.5 OpenC3 COSMOS versions prior to 7.0.0-rc3 **Description** The password change functionality allows a user to change their password without providing the current password, as the system accepts a valid session token instead. In a breach scenario, an attacker with a valid session token can exploit this to maintain persistence in a hijacked account, including administrative accounts, and block legitimate users from accessing the account. **Recommendations** Update to version 6.10.5. Update to version 7.0.0-rc3.

**Name of the Vulnerable Software and Affected Versions** OpenC3 COSMOS versions prior to 6.10.5 OpenC3 COSMOS versions prior to 7.0.0-rc3 **Description** A design flaw in the `save tool config()` function allows users to save tool configuration files at arbitrary locations within the shared /plugins directory tree by providing crafted configuration filenames. While standard path traversal attacks are mitigated by canonicalizing filenames to absolute paths, the shared root directory for all plugins enables the creation of arbitrary file structures and the overwriting of existing configuration files within that directory. **Recommendations** Update to version 6.10.5. Update to version 7.0.0-rc3.

**Name of the Vulnerable Software and Affected Versions** OpenC3 COSMOS versions prior to 7.0.0 **Description** The Command Sender UI uses an unsafe `eval()` function on array-like command parameters. This allows a user-supplied payload to execute in the browser when sending a command, creating a self-XSS (Cross-Site Scripting) risk. An attacker could trigger script execution in a victim's session if they can influence the array parameter input, such as through phishing. Successful exploitation may allow an attacker to read or modify data within the authenticated browser context, including session tokens stored in local storage. **Recommendations** Update to version 7.0.0.