CVE-2023-46471 in Yamcs
Summary
by MITRE • 11/20/2023
Cross Site Scripting vulnerability in Space Applications Services Yamcs v.5.8.6 allows a remote attacker to execute arbitrary code via the text variable scriptContainer of the ScriptViewer.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 02/16/2026
The vulnerability identified as CVE-2023-46471 represents a critical cross site scripting flaw within the Space Applications Services Yamcs v.5.8.6 platform that poses significant security risks to organizations relying on this space mission control software. This issue specifically affects the ScriptViewer component where user-supplied input through the text variable scriptContainer is not properly sanitized or validated before being rendered in the web interface. The vulnerability falls under the CWE-79 category of Cross Site Scripting, which is a fundamental web application security weakness that allows attackers to inject malicious scripts into web pages viewed by other users. Yamcs is widely used in space applications for mission control and telemetry processing, making this vulnerability particularly concerning for aerospace and defense organizations that depend on secure operational environments.
The technical exploitation of this vulnerability occurs when a remote attacker crafts malicious input containing script code within the scriptContainer variable of the ScriptViewer functionality. When this malformed input is processed and displayed in the web interface, the embedded scripts execute in the context of other users' browsers, potentially leading to session hijacking, data theft, or further exploitation of the compromised user sessions. The attack vector is entirely remote, meaning no local access or authentication is required to exploit this weakness, which significantly increases the attack surface and potential impact. This type of vulnerability typically allows for persistent XSS attacks where malicious scripts can be stored on the server and executed whenever users view the affected content, creating a long-term threat to the system's integrity and user security.
The operational impact of CVE-2023-46471 extends beyond traditional web application security concerns due to the specialized nature of Yamcs software used in space missions and critical infrastructure applications. Organizations utilizing this platform may face unauthorized access to sensitive mission data, potential disruption of space operations, or compromise of critical telemetry and command systems. The vulnerability could enable attackers to gain insights into operational procedures, system configurations, or even manipulate mission-critical data flows through the execution of malicious scripts in users' browser environments. Given that Yamcs is deployed in high-stakes environments where system integrity and data security are paramount, this XSS vulnerability creates a significant risk that could potentially affect mission success and operational safety.
Organizations should implement immediate mitigations including input validation and output encoding for all user-supplied data within the scriptContainer variable, ensuring that any potentially malicious script content is properly escaped or removed before rendering in the web interface. The implementation of Content Security Policy headers can provide additional protection against script execution, while regular security audits and penetration testing should be conducted to identify similar vulnerabilities in other components of the Yamcs platform. According to ATT&CK framework category T1566, this vulnerability represents a technique for Initial Access through malicious web content, while the execution phase aligns with T1059 for command and scripting interpreter. Organizations should also consider implementing web application firewalls to detect and block suspicious script injection attempts, and maintain updated security patches for the Yamcs platform to prevent exploitation of this and related vulnerabilities.