Lucene search

[email protected]NVD:CVE-2023-27472

HistoryMar 06, 2023 - 7:15 p.m.

CVE-2023-27472

2023-03-0619:15:10

CWE-79

[email protected]

web.nvd.nist.gov

quickentity-editor-next open-source system-local video-game asset-editor html-tags not-sanitised xss-vulnerability arbitrary-code-execution browser-sandbox patch upgrade vulnerability

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

34.6%

JSON

quickentity-editor-next is an open source, system local, video game asset editor. In affected versions HTML tags in entity names are not sanitised (XSS vulnerability). Allows arbitrary code execution within the browser sandbox, among other things, simply from loading a file containing a script tag in any entity name. This issue has been patched in version 1.28.1 of the application. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Affected configurations

Nvd

Node

quickentity_editor_projectquickentity_editorRange<1.28.1

VendorProductVersionCPE
quickentity_editor_projectquickentity_editor*cpe:2.3:a:quickentity_editor_project:quickentity_editor:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
quickentity_editor_project	quickentity_editor	*	cpe:2.3:a:quickentity_editor_project:quickentity_editor::::::::

References

github.com/atampy25/quickentity-editor-next/commit/5303b45a20a6e4e9318729b8dd7bbf09b37b369d

github.com/atampy25/quickentity-editor-next/security/advisories/GHSA-22gc-rq5x-fxpw

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

34.6%

JSON

Related for NVD:CVE-2023-27472

cve1 osv1 prion1 cvelist1