Lucene search

GitHub_MCVE-2024-42366

HistoryAug 08, 2024 - 5:15 p.m.

CVE-2024-42366

2024-08-0817:15:19

CWE-269

CWE-79

GitHub_M

web.nvd.nist.gov

vrcx

remote command execution

cefsharp

over-permission

cross-site scripting

vrc team

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

AI Score

9.2

Confidence

High

EPSS

0.001

Percentile

20.0%

JSON

VRCX is an assistant/companion application for VRChat. In versions prior to 2024.03.23, a CefSharp browser with over-permission and cross-site scripting via overlay notification can be combined to result in remote command execution. These vulnerabilities are patched in VRCX 2023.12.24. In addition to the patch, VRCX maintainers worked with the VRC team and blocked the older version of VRCX on the VRC’s API side. Users who use the older version of VRCX must update their installation to continue using VRCX.

Affected configurations

Nvd

Vulners

Vulnrichment

Node

vrcx-teamvrcxRange<2024.03.23

VendorProductVersionCPE
vrcx-teamvrcx*cpe:2.3:a:vrcx-team:vrcx:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
vrcx-team	vrcx	*	cpe:2.3:a:vrcx-team:vrcx::::::::

CNA Affected

[
  {
    "vendor": "vrcx-team",
    "product": "VRCX",
    "versions": [
      {
        "version": "< 2024.03.23",
        "status": "affected"
      }
    ]
  }
]

References

github.com/vrcx-team/VRCX/commit/cd2387aa3289f936ce60049121c24b0765bd4180

github.com/vrcx-team/VRCX/security/advisories/GHSA-j98g-mgjm-wqph

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

AI Score

9.2

Confidence

High

EPSS

0.001

Percentile

20.0%

JSON

Related for CVE-2024-42366