Lucene search

GoogleOSV:CVE-2024-42366

HistoryAug 08, 2024 - 5:15 p.m.

CVE-2024-42366

2024-08-0817:15:19

Google

osv.dev

vrcx

vrchat

remote command execution

cross-site scripting

over-permission

security patch

vrc team

api blocking

software update

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

AI Score

6.9

Confidence

High

EPSS

0.001

Percentile

20.0%

JSON

VRCX is an assistant/companion application for VRChat. In versions prior to 2024.03.23, a CefSharp browser with over-permission and cross-site scripting via overlay notification can be combined to result in remote command execution. These vulnerabilities are patched in VRCX 2023.12.24. In addition to the patch, VRCX maintainers worked with the VRC team and blocked the older version of VRCX on the VRC’s API side. Users who use the older version of VRCX must update their installation to continue using VRCX.

References

github.com/vrcx-team/VRCX/commit/cd2387aa3289f936ce60049121c24b0765bd4180

github.com/vrcx-team/VRCX/security/advisories/GHSA-j98g-mgjm-wqph

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

AI Score

6.9

Confidence

High

EPSS

0.001

Percentile

20.0%

JSON

Related for OSV:CVE-2024-42366