VRCX is an assistant/companion application for VRChat. In versions prior to 2024.03.23, a CefSharp browser with over-permission and cross-site scripting via overlay notification can be combined to result in remote command execution. These vulnerabilities are patched in VRCX 2023.12.24. In addition to the patch, VRCX maintainers worked with the VRC team and blocked the older version of VRCX on the VRC's API side. Users who use the older version of VRCX must update their installation to continue using VRCX.
History

Fri, 09 Aug 2024 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Vrcx-team
Vrcx-team vrcx
CPEs cpe:2.3:a:vrcx-team:vrcx:*:*:*:*:*:*:*:*
Vendors & Products Vrcx-team
Vrcx-team vrcx
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 08 Aug 2024 17:00:00 +0000

Type Values Removed Values Added
Description VRCX is an assistant/companion application for VRChat. In versions prior to 2024.03.23, a CefSharp browser with over-permission and cross-site scripting via overlay notification can be combined to result in remote command execution. These vulnerabilities are patched in VRCX 2023.12.24. In addition to the patch, VRCX maintainers worked with the VRC team and blocked the older version of VRCX on the VRC's API side. Users who use the older version of VRCX must update their installation to continue using VRCX.
Title VR Overlay RCE
Weaknesses CWE-269
CWE-79
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-08-08T16:51:07.016Z

Updated: 2024-08-09T18:46:59.693Z

Reserved: 2024-07-30T14:01:33.923Z

Link: CVE-2024-42366

cve-icon Vulnrichment

Updated: 2024-08-09T18:46:54.894Z

cve-icon NVD

Status : Analyzed

Published: 2024-08-08T17:15:19.590

Modified: 2024-08-29T14:04:30.733

Link: CVE-2024-42366

cve-icon Redhat

No data.