eDEX-UI cross-site websocket hijacking vulnerability enables remote command execution

eDEX-UI is a science fiction terminal emulator. Versions 2.2.8 and prior are vulnerable to cross-site websocket hijacking. When running eDEX-UI and browsing the web, a malicious website can connect to eDEX's internal terminal control websocket, and send arbitrary commands to the shell. The project has been archived since 2021, and as of time of publication there are no plans to patch this issue and release a new version. Some workarounds are available, including shutting down eDEX-UI when browsing the web and ensuring the eDEX terminal runs with lowest possible privileges.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

CWE-1385

eDEX-UI 访问控制错误漏洞

eDEX-UI是法国Gabriel Saillard个人开发者的一个全屏、跨平台的终端仿真器和系统监视器。 eDEX-UI 2.2.8版本及之前版本存在安全漏洞，该漏洞源于容易受到跨网站网络劫持的影响，恶意网站可以连接到eDEX的内部终端控制websocket，并向shell发送任意命令。

N/A

N/A