CVE-2024-47529: 
JavaScript vulnerability analysis and mitigation

OpenC3 COSMOS, a web application used to control satellites and test equipment, contains a vulnerability (CVE-2024-47529) where user passwords are stored unencrypted in the browser's LocalStorage. The vulnerability was discovered on July 1, 2024, and affects versions prior to 5.19.0 of the Open Source edition, but not the Enterprise Edition. A fix was released on October 2, 2024, with version 5.19.0 (GitHub Advisory, Security Lab).

The vulnerability stems from storing user passwords in cleartext within the browser's LocalStorage through the Login.vue component. The issue was identified in the login function where passwords are directly stored: localStorage.openc3Token = this.password. This implementation violates secure password handling practices and is tracked as CWE-312 (Cleartext Storage of Sensitive Information). The vulnerability has a CVSS v3.1 base score of 6.5 (MEDIUM) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N (NVD).

The vulnerability makes user passwords susceptible to exfiltration via Cross-site scripting (XSS) attacks. This could allow attackers to gain a more permanent foothold in the COSMOS instance if they have access to it. Additionally, local attackers could directly access the stored passwords from LocalStorage, which is more severe than stealing session IDs that automatically expire (Security Lab).

The vulnerability has been fixed in OpenC3 COSMOS version 5.19.0. Users should upgrade to this version or later to address the issue. The fix implements a session-based token authentication system instead of storing raw passwords (GitHub Commit).