Description
CVE-2023-49296 references github.com/arduino/arduino-create-agent, which may be a Go module.
Description:
The Arduino Create Agent allows users to use the Arduino Create applications to upload code to any USB connected Arduino board directly from the browser. A vulnerability in versions prior to 1.3.6 affects the endpoint /certificate.crt and the way the web interface of the ArduinoCreateAgent handles custom error messages. An attacker that is able to persuade a victim into clicking on a malicious link can perform a Reflected Cross-Site Scripting attack on the web interface of the create agent, which would allow the attacker to execute arbitrary browser client side code. Version 1.3.6 contains a fix for the issue.
References:
- NIST: https://nvd.nist.gov/vuln/detail/CVE-2023-49296
- JSON: https://github.com/CVEProject/cvelist/tree/c35eef3fb59240658d243fe1a204371de79b81d1/2023/49xxx/CVE-2023-49296.json
- advisory: GHSA-j5hc-wx84-844h
- fix: arduino/arduino-create-agent@9a0e582
- Imported by: https://pkg.go.dev/github.com/arduino/arduino-create-agent?tab=importedby
Cross references:
- Module github.com/arduino/arduino-create-agent appears in issue x/vulndb: potential Go vuln in github.com/arduino/arduino-create-agent: GHSA-4x5q-q7wc-q22p #2122 EFFECTIVELY_PRIVATE
- Module github.com/arduino/arduino-create-agent appears in issue x/vulndb: potential Go vuln in github.com/arduino/arduino-create-agent: GHSA-mjq6-pv9c-qppq #2123 EFFECTIVELY_PRIVATE
- Module github.com/arduino/arduino-create-agent appears in issue x/vulndb: potential Go vuln in github.com/arduino/arduino-create-agent: GHSA-75j7-w798-cwwx #2124 EFFECTIVELY_PRIVATE
- Module github.com/arduino/arduino-create-agent appears in issue x/vulndb: potential Go vuln in github.com/arduino/arduino-create-agent: GHSA-m5jc-r4gf-c6p8 #2126 EFFECTIVELY_PRIVATE
See doc/triage.md for instructions on how to triage this report.
id: GO-ID-PENDING
modules:
- module: github.com/arduino/arduino-create-agent
vulnerable_at: 0.0.0-20231211102506-e52bb0070110
packages:
- package: arduino-create-agent
cves:
- CVE-2023-49296
references:
- advisory: https://github.com/arduino/arduino-create-agent/security/advisories/GHSA-j5hc-wx84-844h
- fix: https://github.com/arduino/arduino-create-agent/commit/9a0e582bb8a1ff8e70d202943ddef8625ccefcc8