CVE-2023-49296: 
Arduino Create Agent vulnerability analysis and mitigation

The Arduino Create Agent, which allows users to upload code to USB-connected Arduino boards directly from the browser, contains a Reflected Cross-Site Scripting (XSS) vulnerability in versions prior to 1.3.6. The vulnerability affects the /certificate.crt endpoint and the web interface's handling of custom error messages (GitHub Advisory).

The vulnerability is classified as a CWE-79 (Improper Neutralization of Input During Web Page Generation) issue. It has been assigned a CVSS v3.1 base score of 6.1 (Medium) by NIST and 6.3 (Medium) by GitHub with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L. The vulnerability specifically involves the way the web interface handles custom error messages and the /certificate.crt endpoint (NVD, GitHub Advisory).

If successfully exploited, an attacker could execute arbitrary browser client-side code in the context of the web interface of the create agent. This requires persuading a victim to click on a malicious link (GitHub Advisory).

The vulnerability has been fixed in version 1.3.6 of the Arduino Create Agent. Users should upgrade to this version to address the security issue. The fix involved removing the /certificate.crt endpoint and moving from text/template to html/template to utilize built-in Output Encoding capabilities (GitHub Patch).