CVE-2023-30856
moderate-risk
Published 2023-04-28
eDEX-UI is a science fiction terminal emulator. Versions 2.2.8 and prior are vulnerable to cross-site websocket hijacking. When running eDEX-UI and browsing the web, a malicious website can connect to eDEX's internal terminal control websocket, and send arbitrary commands to the shell. The project has been archived since 2021, and as of time of publication there are no plans to patch this issue and release a new version. Some workarounds are available, including shutting down eDEX-UI when browsing the web and ensuring the eDEX terminal runs with lowest possible privileges.
Do I need to act?
-
0.19% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.3/10
High
NETWORK
/ LOW complexity
Affected Products (1)
Edex-Ui
Affected Vendors
References (6)
Technical Description
https://christian-schneider.net/CrossSiteWebSocketHijacking.html
Technical Description
https://christian-schneider.net/CrossSiteWebSocketHijacking.html
35
/ 100
moderate-risk
Severity
29/34 · Critical
Exploitability
1/34 · Minimal
Exposure
5/34 · Minimal