Lucene search

GitHub_MCVELIST:CVE-2024-42366

HistoryAug 08, 2024 - 4:51 p.m.

CVE-2024-42366 VR Overlay RCE

2024-08-0816:51:07

CWE-79

CWE-269

GitHub_M

www.cve.org

cve-2024-42366

vrchat

remote command execution

vrcx

cefsharp

cross-site scripting

security patch

api block

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

EPSS

0.001

Percentile

20.0%

JSON

VRCX is an assistant/companion application for VRChat. In versions prior to 2024.03.23, a CefSharp browser with over-permission and cross-site scripting via overlay notification can be combined to result in remote command execution. These vulnerabilities are patched in VRCX 2023.12.24. In addition to the patch, VRCX maintainers worked with the VRC team and blocked the older version of VRCX on the VRC’s API side. Users who use the older version of VRCX must update their installation to continue using VRCX.

CNA Affected

[
  {
    "vendor": "vrcx-team",
    "product": "VRCX",
    "versions": [
      {
        "version": "< 2024.03.23",
        "status": "affected"
      }
    ]
  }
]

References

github.com/vrcx-team/VRCX/commit/cd2387aa3289f936ce60049121c24b0765bd4180

github.com/vrcx-team/VRCX/security/advisories/GHSA-j98g-mgjm-wqph

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

EPSS

0.001

Percentile

20.0%

JSON

Related for CVELIST:CVE-2024-42366