Name of the Vulnerable Software and Affected Versions cosmos (affected versions not specified)

Description The Command Sender UI employs an unsafe eval() function when processing array-like command parameters. This allows a user-supplied payload to execute within the browser during the command sending process, leading to a self-XSS risk. An attacker could trigger script execution in a victim's session if they can influence the array parameter input, such as through phishing. Successful exploitation may allow the attacker to read or modify data within the authenticated browser context, including session tokens stored in local storage. The issue occurs in the convertToValue() function.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.