{"id":"PYSEC-2024-121","details":"OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. OpenC3 COSMOS stores the password of a user unencrypted in the LocalStorage of a web browser. This makes the user password susceptible to exfiltration via Cross-site scripting (see GHSL-2024-128). This vulnerability is fixed in 5.19.0. This only affects Open Source edition, and not OpenC3 COSMOS Enterprise Edition.","aliases":["CVE-2024-47529","GHSA-4xqv-47rm-37mm"],"modified":"2024-11-13T20:57:40.231393Z","published":"2024-10-02T20:15:00Z","references":[{"type":"ADVISORY","url":"https://github.com/OpenC3/cosmos/security/advisories/GHSA-4xqv-47rm-37mm"},{"type":"FIX","url":"https://github.com/OpenC3/cosmos/commit/b5ab34fe7fa54c0c8171c4aa3caf4e03d6f63bd7"},{"type":"ADVISORY","url":"https://securitylab.github.com/advisories/GHSL-2024-127_GHSL-2024-129_OpenC3_COSMOS"}],"affected":[{"package":{"name":"openc3","ecosystem":"PyPI","purl":"pkg:pypi/openc3"},"ranges":[{"type":"GIT","repo":"https://github.com/OpenC3/cosmos","events":[{"introduced":"0"},{"fixed":"b5ab34fe7fa54c0c8171c4aa3caf4e03d6f63bd7"}]},{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"5.19.0"}]}],"versions":["0.1.0","5.10.0","5.10.1","5.11.0","5.11.1","5.11.2","5.11.3","5.12.0","5.13.0","5.14.0","5.14.1","5.14.2","5.15.0","5.15.1","5.15.2","5.16.0","5.16.1","5.16.2","5.17.0","5.17.1","5.18.0","5.9.2b0"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/openc3/PYSEC-2024-121.yaml"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"}]}