CVE-2023-45280: 
Java vulnerability analysis and mitigation

Yamcs 5.8.6 contains a Cross-Site Scripting (XSS) vulnerability that allows attackers to execute arbitrary JavaScript code. The vulnerability exists in the Bucket storage mechanism, which is used as the primary storage system. An attacker can upload an HTML file containing malicious JavaScript code and then navigate to it, causing the browser to execute the arbitrary JavaScript when the file is opened (VisionSpace Advisory).

The vulnerability (CVE-2023-45280) is one of two XSS issues found in Yamcs 5.8.6. The system's Bucket storage allows for uploading any file type, including HTML files containing arbitrary JavaScript code. When such files are accessed through the browser, the malicious JavaScript is executed without proper sanitization. The vulnerability has been assigned a CVSS v3.1 Base Score of 5.4 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N (NVD).

If exploited, this vulnerability allows attackers to execute arbitrary JavaScript code in the context of other users' browsers. This could lead to theft of sensitive information, session hijacking, or other client-side attacks. The impact is particularly concerning given that Yamcs is used by major organizations including NASA, DLR, AIRBUS, and Astrobotic for spacecraft and satellite control (VisionSpace Advisory).

The vulnerability has been fixed in version 5.8.7. The patch prevents code execution for various file types, though HTML files were previously exempt from these protections. Organizations using affected versions should upgrade to version 5.8.7 or later (GitHub Patch).

The vulnerability was discovered and reported by VisionSpace Technologies as part of their security assessment of the Yamcs system. The Yamcs team responded promptly by implementing fixes for all reported vulnerabilities, demonstrating their commitment to security (VisionSpace Advisory).