Lucene search

SnykCVELIST:CVE-2023-26123

HistoryApr 14, 2023 - 5:00 a.m.

CVE-2023-26123

2023-04-1405:00:01

snyk

www.cve.org

cross-site scripting

raylib

vulnerability

setclipboardtext

xss

platform_web

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:P

0.001 Low

EPSS

Percentile

46.6%

JSON

Versions of the package raysan5/raylib before 4.5.0 are vulnerable to Cross-site Scripting (XSS) such that the SetClipboardText API does not properly escape the ’ character, allowing attacker-controlled input to break out of the string and execute arbitrary JavaScript via emscripten_run_script function.

Note: This vulnerability is present only when compiling raylib for PLATFORM_WEB. All the other Desktop/Mobile/Embedded platforms are not affected.

CNA Affected

[
  {
    "product": "raysan5/raylib",
    "versions": [
      {
        "version": "0",
        "lessThan": "4.5.0",
        "status": "affected",
        "versionType": "semver"
      }
    ],
    "vendor": "n/a"
  }
]

References

github.com/raysan5/raylib/commit/b436c8d7e5346a241b00511a11585936895d959d

github.com/raysan5/raylib/issues/2954

github.com/raysan5/raylib/releases/tag/4.5.0

security.snyk.io/vuln/SNYK-UNMANAGED-RAYSAN5RAYLIB-5421188

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:P

0.001 Low

EPSS

Percentile

46.6%

JSON

Related for CVELIST:CVE-2023-26123