CVE-2024-21625

EPSS 0.85%
Veröffentlicht 04.01.2024 15:15:11
Zuletzt bearbeitet 21.11.2024 08:54:45
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

One-click remote code execution via malicious deep link

SideQuest is a place to get virtual reality applications for Oculus Quest. The SideQuest desktop application uses deep links with a custom protocol (`sidequest://`) to trigger actions in the application from its web contents. Because, prior to version 0.10.35, the deep link URLs were not sanitized properly in all cases, a one-click remote code execution can be achieved in cases when a device is connected, the user is presented with a malicious link and clicks it from within the application. As of version 0.10.35, the custom protocol links within the electron application are now being parsed and sanitized properly.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 4

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Sidequestvr ≫ Sidequest Version < 0.10.35

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.85%	0.531

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
security-advisories@github.com	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

https://github.com/SideQuestVR/SideQuest/security/advisories/GHSA-3v86-cf9q-x4x7

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2024-21625

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-21625

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-21625

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-21625