Approved changes feed: RSS · Atom

cpe:2.3:a:arduino:create_agent:*:*:*:*:*:go:*:*

part: a version: * update: *

VendorArduino (a6c9e11a-439e-5c89-be14-a8208b9cb88c)
ProductCreate Agent (43d6dff8-ee60-51b7-998a-756a8aaef22e)
Edition*
Language*
Software edition*
Target softwarego
Target hardware*
Other*
NotesImported from gcve-enriched-dumps CVE data

PURL mappings

PURLSourceLast updated
No PURL mappings for this CPE yet.

Vulnerability references

IdentifiercpeApplicabilitySubmitteddb.gcve.eu detailsRationale
CVE:CVE-2023-49296 vulnerable 2026-06-08 06:14:28.988412 Arduino Create Agent vulnerable to Reflected Cross-Site Scripting
MEDIUM (6.3)
The Arduino Create Agent allows users to use the Arduino Create applications to upload code to any USB connected Arduino board directly from the browser. A vulnerability in versions prior to 1.3.6 affects the endpoint `/certificate.crt` and the way the web interface of the ArduinoCreateAgent handles custom error messages. An attacker that is able to persuade a victim into clicking on a malicious link can perform a Reflected Cross-Site Scripting attack on the web interface of the create agent, which would allow the attacker to execute arbitrary browser client side code. Version 1.3.6 contains a fix for the issue.
Published: 2023-12-13T19:54:34.638Z
Updated: 2024-08-02T21:53:44.988Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2023-43803 vulnerable 2026-06-08 06:12:38.051201 Path traversal in Arduino Create Agent
MEDIUM (6.1)
Arduino Create Agent is a package to help manage Arduino development. This vulnerability affects the endpoint `/v2/pkgs/tools/installed` and the way it handles plugin names supplied as user input. A user who has the ability to perform HTTP requests to the localhost interface, or is able to bypass the CORS configuration, can delete arbitrary files or folders belonging to the user that runs the Arduino Create Agent via a crafted HTTP POST request. This issue has been addressed in version `1.3.3`. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Published: 2023-10-18T20:36:29.697Z
Updated: 2025-02-13T17:13:31.137Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2023-43802 vulnerable 2026-06-08 06:12:38.050664 Path traversal in Arduino Create Agent
HIGH (7.1)
Arduino Create Agent is a package to help manage Arduino development. This vulnerability affects the endpoint `/upload` which handles request with the `filename` parameter. A user who has the ability to perform HTTP requests to the localhost interface, or is able to bypass the CORS configuration, can escalate their privileges to those of the user running the Arduino Create Agent service via a crafted HTTP POST request. This issue has been addressed in version `1.3.3`. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Published: 2023-10-18T20:39:09.518Z
Updated: 2024-09-12T20:04:49.780Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2023-43801 vulnerable 2026-06-08 06:12:38.050134 Path traversal in Arduino Create Agent
MEDIUM (6.1)
Arduino Create Agent is a package to help manage Arduino development. This vulnerability affects the endpoint `/v2/pkgs/tools/installed` and the way it handles plugin names supplied as user input. A user who has the ability to perform HTTP requests to the localhost interface, or is able to bypass the CORS configuration, can delete arbitrary files or folders belonging to the user that runs the Arduino Create Agent via a crafted HTTP DELETE request. This issue has been addressed in version `1.3.3`. Users are advised to upgrade. There are no known workarounds for this issue.
Published: 2023-10-18T21:06:12.775Z
Updated: 2024-09-12T20:04:35.655Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2023-43800 vulnerable 2026-06-08 06:12:38.049427 Insufficient Verification of Data Authenticity in Arduino Create Agent
HIGH (7.3)
Arduino Create Agent is a package to help manage Arduino development. The vulnerability affects the endpoint `/v2/pkgs/tools/installed`. A user who has the ability to perform HTTP requests to the localhost interface, or is able to bypass the CORS configuration, can escalate his privileges to those of the user running the Arduino Create Agent service via a crafted HTTP POST request. This issue has been addressed in version `1.3.3`. Users are advised to upgrade. There are no known workarounds for this issue.
Published: 2023-10-18T21:07:21.601Z
Updated: 2024-09-12T20:04:21.852Z
Reference links
Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.