CVE-2023-30856: 
Homebrew vulnerability analysis and mitigation

eDEX-UI, a science fiction terminal emulator, versions 2.2.8 and prior are vulnerable to cross-site websocket hijacking (CSWSH). The vulnerability was discovered and disclosed on April 28, 2023, affecting all versions up to and including 2.2.8. This security issue allows malicious websites to connect to eDEX's internal terminal control websocket and execute arbitrary commands in the shell when users are browsing the web while running eDEX-UI (GitHub Advisory, NVD).

The vulnerability stems from a missing origin validation in the WebSocket implementation. The issue occurs when the WebSocket server accepts connections without proper origin verification, allowing cross-site WebSocket hijacking. The CVSS v3.1 base score is rated as 10.0 CRITICAL by NVD (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), while GitHub rates it as 8.3 HIGH. The vulnerability is tracked as CWE-346 (Origin Validation Error) and CWE-1385 (Missing Origin Validation in WebSockets) (NVD, CSWSH Technical Description).

When exploited, this vulnerability allows an attacker to execute arbitrary commands in the user's shell through the terminal control websocket. This can lead to complete system compromise as the attacker gains the ability to run commands with the same privileges as the eDEX-UI process (GitHub Advisory).

As the project has been archived since 2021, no official patch is available or planned. Users can implement two workarounds: 1) Shut down eDEX-UI when browsing the web, and 2) Ensure the eDEX terminal runs with the lowest possible privileges to mitigate potential risks (GitHub Advisory).