CVE-2023-45279

Name of the Vulnerable Software and Affected Versions Yamcs version 5.8.6

Description The issue allows for Cross-Site Scripting (XSS) attacks. It comes with a Bucket as its primary storage mechanism, which allows for the upload of any file. There's a way to upload a display referencing a malicious JavaScript file to the bucket. The user can then open the uploaded display by selecting Telemetry from the menu and navigating to the display.

Recommendations For Yamcs version 5.8.6, as a temporary workaround, consider disabling the ability to upload displays referencing external files to the bucket until a patch is available. Restrict access to the bucket to minimize the risk of exploitation. Avoid using the bucket's file upload feature in the affected version until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.