CVE-2023-45279: 
Java vulnerability analysis and mitigation

Yamcs 5.8.6 contains a stored Cross-Site Scripting (XSS) vulnerability. The system comes with a Bucket as its primary storage mechanism that allows for the upload of any file. An attacker can upload a display referencing a malicious JavaScript file to the bucket and then open the uploaded display by selecting Telemetry from the menu and navigating to the display (VisionSpace Assessment).

The vulnerability exists in the storage functionality that allows uploading files to buckets. An attacker can upload an HTML file containing arbitrary JavaScript code or a display file referencing a malicious JavaScript file. When the user opens either file through the web interface, the malicious JavaScript code gets executed in the browser context. The vulnerability has been assigned a CVSS v3.1 base score of 5.4 (Medium) with vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N (NVD).

A successful exploitation could allow an attacker to execute arbitrary JavaScript code in the victim's browser context, potentially leading to theft of sensitive information like session cookies or performing actions on behalf of the victim user (VisionSpace Assessment).

The vulnerability has been fixed in version 5.8.7. Users are recommended to upgrade to this version or later. The fix prevents arbitrary JavaScript code execution for uploaded files (GitHub Patch).