CVE-2024-21625

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-21625

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-21625.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2024-21625

Related

GHSA-3v86-cf9q-x4x7

Published

2024-01-04T15:15:11Z

Modified

2025-02-14T11:51:39.433436Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

SideQuest is a place to get virtual reality applications for Oculus Quest. The SideQuest desktop application uses deep links with a custom protocol (sidequest://) to trigger actions in the application from its web contents. Because, prior to version 0.10.35, the deep link URLs were not sanitized properly in all cases, a one-click remote code execution can be achieved in cases when a device is connected, the user is presented with a malicious link and clicks it from within the application. As of version 0.10.35, the custom protocol links within the electron application are now being parsed and sanitized properly.

References

https://github.com/SideQuestVR/SideQuest/security/advisories/GHSA-3v86-cf9q-x4x7

Affected packages

Git / github.com/sidequestvr/sidequest

Affected ranges

Type: GIT
Repo: https://github.com/sidequestvr/sidequest
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

24e7a1dc3d0d2c23c946eced1d19595a073e85c1

Affected versions

v0.*

v0.10.13

v0.10.14

v0.10.15

v0.10.16

v0.10.17

v0.10.18

v0.10.19

v0.10.20

v0.10.21

v0.10.22

v0.10.23

v0.10.24

v0.10.25

v0.10.26

v0.10.27

v0.10.28

v0.10.29

v0.10.30

v0.10.31

v0.10.32

v0.10.33