Lucene search

GitHub_MCVELIST:CVE-2023-27472

HistoryMar 06, 2023 - 6:12 p.m.

CVE-2023-27472 HTML tags in entity names in the tree view are not sanitised in quickentity-editor-next

2023-03-0618:12:47

CWE-79

GitHub_M

www.cve.org

cve-2023-27472

html tags

entity names

sanitised

quickentity-editor-next

xss

arbitrary code execution

browser sandbox

patch

upgrade

8.2 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

0.001 Low

EPSS

Percentile

32.4%

JSON

quickentity-editor-next is an open source, system local, video game asset editor. In affected versions HTML tags in entity names are not sanitised (XSS vulnerability). Allows arbitrary code execution within the browser sandbox, among other things, simply from loading a file containing a script tag in any entity name. This issue has been patched in version 1.28.1 of the application. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CNA Affected

[
  {
    "vendor": "atampy25",
    "product": "quickentity-editor-next",
    "versions": [
      {
        "version": "< 1.28.1",
        "status": "affected"
      }
    ]
  }
]

References

github.com/atampy25/quickentity-editor-next/commit/5303b45a20a6e4e9318729b8dd7bbf09b37b369d

github.com/atampy25/quickentity-editor-next/security/advisories/GHSA-22gc-rq5x-fxpw

8.2 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

0.001 Low

EPSS

Percentile

32.4%

JSON

Related for CVELIST:CVE-2023-27472