Search criteria
6 vulnerabilities by arduino
CVE-2025-27608 (GCVE-0-2025-27608)
Vulnerability from cvelistv5 – Published: 2025-04-02 21:09 – Updated: 2025-04-03 14:01
VLAI?
Summary
Arduino IDE 2.x is an IDE based on the Theia IDE framework and built with Electron. A Self Cross-Site Scripting (XSS) vulnerability has been identified within the Arduino-IDE prior to version v2.3.5. The vulnerability occurs in the Additional Board Manager URLs field, which can be found in the Preferences -> Settings section of the Arduino IDE interface. In the vulnerable versions, any values entered in this field are directly displayed to the user through a notification tooltip object, without a proper output encoding routine, due to the underlying ElectronJS engine interpretation. This vulnerability exposes the input parameter to Self-XSS attacks, which may lead to security risks depending on where the malicious payload is injected. This vulnerability is fixed in 2.3.5.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| arduino | arduino-ide |
Affected:
< 2.3.5
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-27608",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-03T14:01:39.340396Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-03T14:01:53.189Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "arduino-ide",
"vendor": "arduino",
"versions": [
{
"status": "affected",
"version": "\u003c 2.3.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Arduino IDE 2.x is an IDE based on the Theia IDE framework and built with Electron. A Self Cross-Site Scripting (XSS) vulnerability has been identified within the Arduino-IDE prior to version v2.3.5. The vulnerability occurs in the Additional Board Manager URLs field, which can be found in the Preferences -\u003e Settings section of the Arduino IDE interface. In the vulnerable versions, any values entered in this field are directly displayed to the user through a notification tooltip object, without a proper output encoding routine, due to the underlying ElectronJS engine interpretation. This vulnerability exposes the input parameter to Self-XSS attacks, which may lead to security risks depending on where the malicious payload is injected. This vulnerability is fixed in 2.3.5."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 1,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-02T21:09:16.943Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/arduino/arduino-ide/security/advisories/GHSA-252h-4j5q-88pc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/arduino/arduino-ide/security/advisories/GHSA-252h-4j5q-88pc"
},
{
"name": "https://github.com/arduino/arduino-ide/commit/d298b3ffc94008e89066cd999d891e84190da18f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/arduino/arduino-ide/commit/d298b3ffc94008e89066cd999d891e84190da18f"
}
],
"source": {
"advisory": "GHSA-252h-4j5q-88pc",
"discovery": "UNKNOWN"
},
"title": "Self Cross-Site Scripting in Arduino IDE"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-27608",
"datePublished": "2025-04-02T21:09:16.943Z",
"dateReserved": "2025-03-03T15:10:34.079Z",
"dateUpdated": "2025-04-03T14:01:53.189Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-49296 (GCVE-0-2023-49296)
Vulnerability from cvelistv5 – Published: 2023-12-13 19:54 – Updated: 2024-08-02 21:53
VLAI?
Summary
The Arduino Create Agent allows users to use the Arduino Create applications to upload code to any USB connected Arduino board directly from the browser. A vulnerability in versions prior to 1.3.6 affects the endpoint `/certificate.crt` and the way the web interface of the ArduinoCreateAgent handles custom error messages. An attacker that is able to persuade a victim into clicking on a malicious link can perform a Reflected Cross-Site Scripting attack on the web interface of the create agent, which would allow the attacker to execute arbitrary browser client side code. Version 1.3.6 contains a fix for the issue.
Severity ?
6.3 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| arduino | arduino-create-agent |
Affected:
< 1.3.6
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T21:53:44.988Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/arduino/arduino-create-agent/security/advisories/GHSA-j5hc-wx84-844h",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/arduino/arduino-create-agent/security/advisories/GHSA-j5hc-wx84-844h"
},
{
"name": "https://github.com/arduino/arduino-create-agent/commit/9a0e582bb8a1ff8e70d202943ddef8625ccefcc8",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/arduino/arduino-create-agent/commit/9a0e582bb8a1ff8e70d202943ddef8625ccefcc8"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "arduino-create-agent",
"vendor": "arduino",
"versions": [
{
"status": "affected",
"version": "\u003c 1.3.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Arduino Create Agent allows users to use the Arduino Create applications to upload code to any USB connected Arduino board directly from the browser. A vulnerability in versions prior to 1.3.6 affects the endpoint `/certificate.crt` and the way the web interface of the ArduinoCreateAgent handles custom error messages. An attacker that is able to persuade a victim into clicking on a malicious link can perform a Reflected Cross-Site Scripting attack on the web interface of the create agent, which would allow the attacker to execute arbitrary browser client side code. Version 1.3.6 contains a fix for the issue.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-13T19:54:34.638Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/arduino/arduino-create-agent/security/advisories/GHSA-j5hc-wx84-844h",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/arduino/arduino-create-agent/security/advisories/GHSA-j5hc-wx84-844h"
},
{
"name": "https://github.com/arduino/arduino-create-agent/commit/9a0e582bb8a1ff8e70d202943ddef8625ccefcc8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/arduino/arduino-create-agent/commit/9a0e582bb8a1ff8e70d202943ddef8625ccefcc8"
}
],
"source": {
"advisory": "GHSA-j5hc-wx84-844h",
"discovery": "UNKNOWN"
},
"title": "Arduino Create Agent vulnerable to Reflected Cross-Site Scripting"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-49296",
"datePublished": "2023-12-13T19:54:34.638Z",
"dateReserved": "2023-11-24T16:45:24.314Z",
"dateUpdated": "2024-08-02T21:53:44.988Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-43800 (GCVE-0-2023-43800)
Vulnerability from cvelistv5 – Published: 2023-10-18 21:07 – Updated: 2024-09-12 20:04
VLAI?
Summary
Arduino Create Agent is a package to help manage Arduino development. The vulnerability affects the endpoint `/v2/pkgs/tools/installed`. A user who has the ability to perform HTTP requests to the localhost interface, or is able to bypass the CORS configuration, can escalate his privileges to those of the user running the Arduino Create Agent service via a crafted HTTP POST request. This issue has been addressed in version `1.3.3`. Users are advised to upgrade. There are no known workarounds for this issue.
Severity ?
7.3 (High)
CWE
- CWE-345 - Insufficient Verification of Data Authenticity
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| arduino | arduino-create-agent |
Affected:
< 1.3.3
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:52:11.069Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/arduino/arduino-create-agent/security/advisories/GHSA-4x5q-q7wc-q22p",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/arduino/arduino-create-agent/security/advisories/GHSA-4x5q-q7wc-q22p"
},
{
"name": "https://github.com/arduino/arduino-create-agent/releases/tag/1.3.3",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/arduino/arduino-create-agent/releases/tag/1.3.3"
},
{
"name": "https://www.nozominetworks.com/blog/security-flaws-affect-a-component-of-the-arduino-create-cloud-ide",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.nozominetworks.com/blog/security-flaws-affect-a-component-of-the-arduino-create-cloud-ide"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-43800",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-12T20:03:44.423487Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-12T20:04:21.852Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "arduino-create-agent",
"vendor": "arduino",
"versions": [
{
"status": "affected",
"version": "\u003c 1.3.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Arduino Create Agent is a package to help manage Arduino development. The vulnerability affects the endpoint `/v2/pkgs/tools/installed`. A user who has the ability to perform HTTP requests to the localhost interface, or is able to bypass the CORS configuration, can escalate his privileges to those of the user running the Arduino Create Agent service via a crafted HTTP POST request. This issue has been addressed in version `1.3.3`. Users are advised to upgrade. There are no known workarounds for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-345",
"description": "CWE-345: Insufficient Verification of Data Authenticity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-02T17:32:18.720Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/arduino/arduino-create-agent/security/advisories/GHSA-4x5q-q7wc-q22p",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/arduino/arduino-create-agent/security/advisories/GHSA-4x5q-q7wc-q22p"
},
{
"name": "https://github.com/arduino/arduino-create-agent/releases/tag/1.3.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/arduino/arduino-create-agent/releases/tag/1.3.3"
},
{
"name": "https://www.nozominetworks.com/blog/security-flaws-affect-a-component-of-the-arduino-create-cloud-ide",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.nozominetworks.com/blog/security-flaws-affect-a-component-of-the-arduino-create-cloud-ide"
}
],
"source": {
"advisory": "GHSA-4x5q-q7wc-q22p",
"discovery": "UNKNOWN"
},
"title": "Insufficient Verification of Data Authenticity in Arduino Create Agent"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-43800",
"datePublished": "2023-10-18T21:07:21.601Z",
"dateReserved": "2023-09-22T14:51:42.340Z",
"dateUpdated": "2024-09-12T20:04:21.852Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-43801 (GCVE-0-2023-43801)
Vulnerability from cvelistv5 – Published: 2023-10-18 21:06 – Updated: 2024-09-12 20:04
VLAI?
Summary
Arduino Create Agent is a package to help manage Arduino development. This vulnerability affects the endpoint `/v2/pkgs/tools/installed` and the way it handles plugin names supplied as user input. A user who has the ability to perform HTTP requests to the localhost interface, or is able to bypass the CORS configuration, can delete arbitrary files or folders belonging to the user that runs the Arduino Create Agent via a crafted HTTP DELETE request. This issue has been addressed in version `1.3.3`. Users are advised to upgrade. There are no known workarounds for this issue.
Severity ?
6.1 (Medium)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| arduino | arduino-create-agent |
Affected:
< 1.3.3
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:52:11.314Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/arduino/arduino-create-agent/security/advisories/GHSA-mjq6-pv9c-qppq",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/arduino/arduino-create-agent/security/advisories/GHSA-mjq6-pv9c-qppq"
},
{
"name": "https://github.com/arduino/arduino-create-agent/releases/tag/1.3.3",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/arduino/arduino-create-agent/releases/tag/1.3.3"
},
{
"name": "https://www.nozominetworks.com/blog/security-flaws-affect-a-component-of-the-arduino-create-cloud-ide",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.nozominetworks.com/blog/security-flaws-affect-a-component-of-the-arduino-create-cloud-ide"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-43801",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-12T20:04:09.946178Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-12T20:04:35.655Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "arduino-create-agent",
"vendor": "arduino",
"versions": [
{
"status": "affected",
"version": "\u003c 1.3.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Arduino Create Agent is a package to help manage Arduino development. This vulnerability affects the endpoint `/v2/pkgs/tools/installed` and the way it handles plugin names supplied as user input. A user who has the ability to perform HTTP requests to the localhost interface, or is able to bypass the CORS configuration, can delete arbitrary files or folders belonging to the user that runs the Arduino Create Agent via a crafted HTTP DELETE request. This issue has been addressed in version `1.3.3`. Users are advised to upgrade. There are no known workarounds for this issue.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-02T17:34:18.109Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/arduino/arduino-create-agent/security/advisories/GHSA-mjq6-pv9c-qppq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/arduino/arduino-create-agent/security/advisories/GHSA-mjq6-pv9c-qppq"
},
{
"name": "https://github.com/arduino/arduino-create-agent/releases/tag/1.3.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/arduino/arduino-create-agent/releases/tag/1.3.3"
},
{
"name": "https://www.nozominetworks.com/blog/security-flaws-affect-a-component-of-the-arduino-create-cloud-ide",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.nozominetworks.com/blog/security-flaws-affect-a-component-of-the-arduino-create-cloud-ide"
}
],
"source": {
"advisory": "GHSA-mjq6-pv9c-qppq",
"discovery": "UNKNOWN"
},
"title": "Path traversal in Arduino Create Agent"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-43801",
"datePublished": "2023-10-18T21:06:12.775Z",
"dateReserved": "2023-09-22T14:51:42.340Z",
"dateUpdated": "2024-09-12T20:04:35.655Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-43802 (GCVE-0-2023-43802)
Vulnerability from cvelistv5 – Published: 2023-10-18 20:39 – Updated: 2024-09-12 20:04
VLAI?
Summary
Arduino Create Agent is a package to help manage Arduino development. This vulnerability affects the endpoint `/upload` which handles request with the `filename` parameter. A user who has the ability to perform HTTP requests to the localhost interface, or is able to bypass the CORS configuration, can escalate their privileges to those of the user running the Arduino Create Agent service via a crafted HTTP POST request. This issue has been addressed in version `1.3.3`. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity ?
7.1 (High)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| arduino | arduino-create-agent |
Affected:
< 1.3.3
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:52:11.325Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/arduino/arduino-create-agent/security/advisories/GHSA-75j7-w798-cwwx",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/arduino/arduino-create-agent/security/advisories/GHSA-75j7-w798-cwwx"
},
{
"name": "https://github.com/arduino/arduino-create-agent/releases/tag/1.3.3",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/arduino/arduino-create-agent/releases/tag/1.3.3"
},
{
"name": "https://www.nozominetworks.com/blog/security-flaws-affect-a-component-of-the-arduino-create-cloud-ide",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.nozominetworks.com/blog/security-flaws-affect-a-component-of-the-arduino-create-cloud-ide"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-43802",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-12T20:04:06.339162Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-12T20:04:49.780Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "arduino-create-agent",
"vendor": "arduino",
"versions": [
{
"status": "affected",
"version": "\u003c 1.3.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Arduino Create Agent is a package to help manage Arduino development. This vulnerability affects the endpoint `/upload` which handles request with the `filename` parameter. A user who has the ability to perform HTTP requests to the localhost interface, or is able to bypass the CORS configuration, can escalate their privileges to those of the user running the Arduino Create Agent service via a crafted HTTP POST request. This issue has been addressed in version `1.3.3`. Users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-02T17:33:19.918Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/arduino/arduino-create-agent/security/advisories/GHSA-75j7-w798-cwwx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/arduino/arduino-create-agent/security/advisories/GHSA-75j7-w798-cwwx"
},
{
"name": "https://github.com/arduino/arduino-create-agent/releases/tag/1.3.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/arduino/arduino-create-agent/releases/tag/1.3.3"
},
{
"name": "https://www.nozominetworks.com/blog/security-flaws-affect-a-component-of-the-arduino-create-cloud-ide",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.nozominetworks.com/blog/security-flaws-affect-a-component-of-the-arduino-create-cloud-ide"
}
],
"source": {
"advisory": "GHSA-75j7-w798-cwwx",
"discovery": "UNKNOWN"
},
"title": "Path traversal in Arduino Create Agent"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-43802",
"datePublished": "2023-10-18T20:39:09.518Z",
"dateReserved": "2023-09-22T14:51:42.340Z",
"dateUpdated": "2024-09-12T20:04:49.780Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-43803 (GCVE-0-2023-43803)
Vulnerability from cvelistv5 – Published: 2023-10-18 20:36 – Updated: 2025-02-13 17:13
VLAI?
Summary
Arduino Create Agent is a package to help manage Arduino development. This vulnerability affects the endpoint `/v2/pkgs/tools/installed` and the way it handles plugin names supplied as user input. A user who has the ability to perform HTTP requests to the localhost interface, or is able to bypass the CORS configuration, can delete arbitrary files or folders belonging to the user that runs the Arduino Create Agent via a crafted HTTP POST request. This issue has been addressed in version `1.3.3`. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity ?
6.1 (Medium)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| arduino | arduino-create-agent |
Affected:
< 1.3.3
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:52:11.245Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/arduino/arduino-create-agent/security/advisories/GHSA-m5jc-r4gf-c6p8",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/arduino/arduino-create-agent/security/advisories/GHSA-m5jc-r4gf-c6p8"
},
{
"name": "https://github.com/arduino/arduino-create-agent/releases/tag/1.3.3",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/arduino/arduino-create-agent/releases/tag/1.3.3"
},
{
"name": "https://www.nozominetworks.com/blog/security-flaws-affect-a-component-of-the-arduino-create-cloud-ide",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.nozominetworks.com/blog/security-flaws-affect-a-component-of-the-arduino-create-cloud-ide"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00005.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-43803",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-12T20:03:02.837302Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-12T20:05:16.159Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "arduino-create-agent",
"vendor": "arduino",
"versions": [
{
"status": "affected",
"version": "\u003c 1.3.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Arduino Create Agent is a package to help manage Arduino development. This vulnerability affects the endpoint `/v2/pkgs/tools/installed` and the way it handles plugin names supplied as user input. A user who has the ability to perform HTTP requests to the localhost interface, or is able to bypass the CORS configuration, can delete arbitrary files or folders belonging to the user that runs the Arduino Create Agent via a crafted HTTP POST request. This issue has been addressed in version `1.3.3`. Users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-08T13:06:57.587Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/arduino/arduino-create-agent/security/advisories/GHSA-m5jc-r4gf-c6p8",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/arduino/arduino-create-agent/security/advisories/GHSA-m5jc-r4gf-c6p8"
},
{
"name": "https://github.com/arduino/arduino-create-agent/releases/tag/1.3.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/arduino/arduino-create-agent/releases/tag/1.3.3"
},
{
"name": "https://www.nozominetworks.com/blog/security-flaws-affect-a-component-of-the-arduino-create-cloud-ide",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.nozominetworks.com/blog/security-flaws-affect-a-component-of-the-arduino-create-cloud-ide"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00005.html"
}
],
"source": {
"advisory": "GHSA-m5jc-r4gf-c6p8",
"discovery": "UNKNOWN"
},
"title": "Path traversal in Arduino Create Agent"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-43803",
"datePublished": "2023-10-18T20:36:29.697Z",
"dateReserved": "2023-09-22T14:51:42.340Z",
"dateUpdated": "2025-02-13T17:13:31.137Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}