Suffs811

**Name of the Vulnerable Software and Affected Versions** OpenC3 COSMOS versions prior to 7.0.0-rc3 **Description** The Script Runner widget allows users to execute Python and Ruby scripts directly from the 'openc3-COSMOS-script-runner-api' container. Since all Docker containers share a network, users can execute specially crafted scripts to bypass API permissions checks and perform administrative actions. This includes reading and modifying data within the Redis database to access secrets and change settings, as well as reading and writing to the buckets service containing configuration, log, and plugin files. These capabilities are typically restricted to the Admin Console or users with administrative privileges. Any user permitted to create and run scripts can connect to any service within the Docker network. **Recommendations** Update to version 7.0.0-rc3.

**Name of the Vulnerable Software and Affected Versions** OpenC3 COSMOS versions 6.7.0 through 7.0.0-rc3 **Description** The Time-Series Database (TSDB) component contains a SQL injection flaw. The `tsdb lookup()` function within the `cvt model.rb` file incorporates user-supplied input into a SQL query without proper sanitization. This allows a user to escape the original SQL statement and execute arbitrary SQL commands, which could lead to the deletion of data. **Recommendations** Update to version 7.0.0-rc3.