CVE-2023-45280

Name of the Vulnerable Software and Affected Versions Yamcs version 5.8.6

Description The issue allows for Cross-Site Scripting (XSS) due to the ability to upload arbitrary files, including HTML files containing JavaScript, to the primary storage mechanism, known as a Bucket. An attacker can upload such a file and then navigate to it, causing the browser to execute the arbitrary JavaScript when the file is opened.

Recommendations For Yamcs version 5.8.6, consider restricting the upload of HTML files or files containing JavaScript to the Bucket as a temporary workaround until a patch is available. Additionally, avoid navigating to or opening suspicious files uploaded to the Bucket to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.