CVE-2023-49296
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2023-49296
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-49296.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2023-49296
- Aliases
-
- GHSA-j5hc-wx84-844h
- Published
- 2023-12-13T19:54:34.638Z
- Modified
- 2025-12-05T00:12:16.781338Z
- Severity
-
- 6.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L CVSS Calculator
- Summary
- Arduino Create Agent vulnerable to Reflected Cross-Site Scripting
- Details
-
The Arduino Create Agent allows users to use the Arduino Create applications to upload code to any USB connected Arduino board directly from the browser. A vulnerability in versions prior to 1.3.6 affects the endpoint
/certificate.crtand the way the web interface of the ArduinoCreateAgent handles custom error messages. An attacker that is able to persuade a victim into clicking on a malicious link can perform a Reflected Cross-Site Scripting attack on the web interface of the create agent, which would allow the attacker to execute arbitrary browser client side code. Version 1.3.6 contains a fix for the issue. - Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/49xxx/CVE-2023-49296.json", "cwe_ids": [ "CWE-79" ], "cna_assigner": "GitHub_M" }- References
-
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/49xxx/CVE-2023-49296.json
- https://github.com/arduino/arduino-create-agent/commit/9a0e582bb8a1ff8e70d202943ddef8625ccefcc8
- https://github.com/arduino/arduino-create-agent/security/advisories/GHSA-j5hc-wx84-844h
- https://nvd.nist.gov/vuln/detail/CVE-2023-49296