OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. From 5.0.0 to 6.10.1, OpenC3 COSMOS cont…

OpenC3 COSMOS versions 5.0.0 to 6.10.1 contain a critical remote code execution vulnerability in the JSON-RPC API. The vulnerability occurs when attacker-controlled parameter text is parsed using String#convert_to_value, which executes eval() for array-like inputs. Unauthenticated attackers can trigger Ruby code execution through the cmd code path before authorization checks occur. The vulnerability affects embedded systems command and control functionality. Fixed in version 6.10.2.