CVE-2023-27472

2023-03-0619:15:10

CWE-79

[email protected]

web.nvd.nist.gov

quickentity-editor-next

open source

system local

video game asset editor

html tags

xss vulnerability

patch

upgrade

security

cve-2023-27472

8.2 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

0.001 Low

EPSS

Percentile

32.3%

JSON

quickentity-editor-next is an open source, system local, video game asset editor. In affected versions HTML tags in entity names are not sanitised (XSS vulnerability). Allows arbitrary code execution within the browser sandbox, among other things, simply from loading a file containing a script tag in any entity name. This issue has been patched in version 1.28.1 of the application. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Affected configurations

Vulners

NVD

Node

atampy25quickentity_editor_nextRange<1.28.1

CPENameOperatorVersion
quickentity_editor_project:quickentity_editorquickentity editor project quickentity editorlt1.28.1

CPE	Name	Operator	Version
quickentity_editor_project:quickentity_editor	quickentity editor project quickentity editor	lt	1.28.1

CNA Affected

[
  {
    "vendor": "atampy25",
    "product": "quickentity-editor-next",
    "versions": [
      {
        "version": "< 1.28.1",
        "status": "affected"
      }
    ]
  }
]