CVE-2024-21625
- Source
- https://cve.org/CVERecord?id=CVE-2024-21625
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-21625.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2024-21625
- Aliases
-
- GHSA-3v86-cf9q-x4x7
- Published
- 2024-01-04T14:48:34.782Z
- Modified
- 2026-05-15T04:08:56.727761717Z
- Severity
-
- 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- One-click remote code execution via malicious deep link
- Details
-
SideQuest is a place to get virtual reality applications for Oculus Quest. The SideQuest desktop application uses deep links with a custom protocol (
sidequest://) to trigger actions in the application from its web contents. Because, prior to version 0.10.35, the deep link URLs were not sanitized properly in all cases, a one-click remote code execution can be achieved in cases when a device is connected, the user is presented with a malicious link and clicks it from within the application. As of version 0.10.35, the custom protocol links within the electron application are now being parsed and sanitized properly. - Database specific
{ "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-20" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/21xxx/CVE-2024-21625.json" }- References