ByteOS Network

NVD Vulnerability Details :

CVE-2023-30856

Analyzed

Source-security-advisories@github.com

Published At-28 Apr, 2023 | 16:15

Updated At-10 May, 2023 | 16:48

eDEX-UI is a science fiction terminal emulator. Versions 2.2.8 and prior are vulnerable to cross-site websocket hijacking. When running eDEX-UI and browsing the web, a malicious website can connect to eDEX's internal terminal control websocket, and send arbitrary commands to the shell. The project has been archived since 2021, and as of time of publication there are no plans to patch this issue and release a new version. Some workarounds are available, including shutting down eDEX-UI when browsing the web and ensuring the eDEX terminal runs with lowest possible privileges.

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Primary	3.1	10.0	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Secondary	3.1	8.3	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

Type: Primary

Version: 3.1

Base score: 10.0

Base severity: CRITICAL

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Type: Secondary

Version: 3.1

Base score: 8.3

Base severity: HIGH

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

CPE Matches

edex-ui_project>>edex-ui>>Versions up to 2.2.8(inclusive)

cpe:2.3:a:edex-ui_project:edex-ui:*:*:*:*:*:*:*:*

Weaknesses

CWE ID	Type	Source
CWE-346	Primary	nvd@nist.gov
CWE-1385	Secondary	security-advisories@github.com
CWE-346	Secondary	security-advisories@github.com

CWE ID: CWE-346

Type: Primary

Source: nvd@nist.gov

CWE ID: CWE-1385

Type: Secondary