OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. From version 6.7.0 to before version 7.0…

A SQL injection vulnerability affects OpenC3 COSMOS versions 6.7.0 to before 7.0.0-rc3 in the Time-Series Database (TSDB) component. The vulnerability exists in the tsdb_lookup function within the cvt_model.rb file, which directly places user-supplied input into SQL queries without proper sanitization. This allows attackers to break out of the initial SQL statement and execute arbitrary SQL commands, including data deletion. The issue has been patched in version 7.0.0-rc3. OpenC3 COSMOS is a system that provides functionality for sending commands to and receiving data from embedded systems.