Home > Vulnerability Database > CVE-2023-30856

Mend.io Vulnerability Database

CVE-2023-30856

Date: April 28, 2023

eDEX-UI is a science fiction terminal emulator. Versions 2.2.8 and prior are vulnerable to cross-site websocket hijacking. When running eDEX-UI and browsing the web, a malicious website can connect to eDEX's internal terminal control websocket, and send arbitrary commands to the shell. The project has been archived since 2021, and as of time of publication there are no plans to patch this issue and release a new version. Some workarounds are available, including shutting down eDEX-UI when browsing the web and ensuring the eDEX terminal runs with lowest possible privileges.

Language: JS

Severity Score

10.0

Related Resources (5)

Url: https://christian-schneider.net/CrossSiteWebSocketHijacking.html

Url: https://github.com/GitSquared/edex-ui/security/advisories/GHSA-q8xc-f2wf-ffh9

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-30856

Url: https://github.com/GitSquared/edex-ui/blob/04a00c4079908788b371c6ecdefff96d0d9950f8/src/classes/terminal.class.js#L458

Url: https://www.mend.io/vulnerability-database/CVE-2023-30856

Severity Score

10.0

Weakness Type (CWE)

Origin Validation Error

CWE-346

Missing Origin Validation in WebSockets

CWE-1385

CVSS v3.1

Base Score:	10.0
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	CHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2023-30856

Date: April 28, 2023

Language: JS

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?