GitHub_MVULNRICHMENT:CVE-2024-42366CVE-2024-42366 VR Overlay RCE
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
20.0%
SSVC
Exploitation
poc
Automatable
no
Technical Impact
total
VRCX is an assistant/companion application for VRChat. In versions prior to 2024.03.23, a CefSharp browser with over-permission and cross-site scripting via overlay notification can be combined to result in remote command execution. These vulnerabilities are patched in VRCX 2023.12.24. In addition to the patch, VRCX maintainers worked with the VRC team and blocked the older version of VRCX on the VRC’s API side. Users who use the older version of VRCX must update their installation to continue using VRCX.
CNA Affected
[
{
"vendor": "vrcx-team",
"product": "VRCX",
"versions": [
{
"status": "affected",
"version": "< 2024.03.23"
}
]
}
]ADP Affected
[
{
"cpes": [
"cpe:2.3:a:vrcx-team:vrcx:*:*:*:*:*:*:*:*"
],
"vendor": "vrcx-team",
"product": "vrcx",
"versions": [
{
"status": "affected",
"version": "0",
"lessThan": "2024.03.23",
"versionType": "custom"
}
],
"defaultStatus": "unknown"
}
]Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
20.0%
SSVC
Exploitation
poc
Automatable
no
Technical Impact
total