Vulnerabilities > CVE-2023-49296 - Unspecified vulnerability in Arduino Create Agent
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
LOW Integrity impact
LOW Availability impact
NONE Summary
The Arduino Create Agent allows users to use the Arduino Create applications to upload code to any USB connected Arduino board directly from the browser. A vulnerability in versions prior to 1.3.6 affects the endpoint `/certificate.crt` and the way the web interface of the ArduinoCreateAgent handles custom error messages. An attacker that is able to persuade a victim into clicking on a malicious link can perform a Reflected Cross-Site Scripting attack on the web interface of the create agent, which would allow the attacker to execute arbitrary browser client side code. Version 1.3.6 contains a fix for the issue.
Vulnerable Configurations
References
- https://github.com/arduino/arduino-create-agent/commit/9a0e582bb8a1ff8e70d202943ddef8625ccefcc8
- https://github.com/arduino/arduino-create-agent/commit/9a0e582bb8a1ff8e70d202943ddef8625ccefcc8
- https://github.com/arduino/arduino-create-agent/security/advisories/GHSA-j5hc-wx84-844h
- https://github.com/arduino/arduino-create-agent/security/advisories/GHSA-j5hc-wx84-844h