PT-2023-21150 · Unknown · Quickentity-Editor-Next

Atampy25

Published

2023-03-06

Updated

2023-03-11

CVE-2023-27472

CVSS v3.1

8.2

High

Vector

AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

Name of the Vulnerable Software and Affected Versions quickentity-editor-next versions prior to 1.28.1

Description The issue concerns an open source, system local, video game asset editor. In affected versions, HTML tags in entity names are not sanitized, leading to an XSS vulnerability. This allows arbitrary code execution within the browser sandbox, among other things, simply from loading a file containing a script tag in any entity name.

Recommendations For versions prior to 1.28.1, upgrade to version 1.28.1 to resolve the issue. As a temporary workaround, consider avoiding the use of HTML tags in entity names until the upgrade is applied. Restrict access to files that may contain script tags in entity names to minimize the risk of exploitation.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2023-27472

GHSA-22GC-RQ5X-FXPW

Affected Products

Quickentity-Editor-Next

PT-2023-21150 · Unknown · Quickentity-Editor-Next

CVE-2023-27472

Weakness Enumeration

Related Identifiers

Affected Products

References · 7