CVE-2023-26123

CVSS V2 None CVSS V3 None

Description

Versions of the package raysan5/raylib before 4.5.0 are vulnerable to Cross-site Scripting (XSS) such that the SetClipboardText API does not properly escape the ' character, allowing attacker-controlled input to break out of the string and execute arbitrary JavaScript via emscripten_run_script function. **Note:** This vulnerability is present only when compiling raylib for PLATFORM_WEB. All the other Desktop/Mobile/Embedded platforms are not affected.

Overview

CVE ID
CVE-2023-26123

Assigner
report@snyk.io

Vulnerability Status
Analyzed

Published Version
2023-04-14T05:15:13

Last Modified Date
2023-04-21T03:45:53

Weakness Enumerations

CWE	URL
CWE-79	http://cwe.mitre.org/data/definitions/79.html

CPE Configuration (Product)

CPE	Vulnerable	Operator	Version Start	Version End
cpe:2.3:a:raylib:raylib::::::::	1	OR		4.5.0

References

Reference URL	Reference Tags
https://github.com/raysan5/raylib/commit/b436c8d7e5346a241b00511a11585936895d959d
https://github.com/raysan5/raylib/issues/2954
https://github.com/raysan5/raylib/releases/tag/4.5.0
https://security.snyk.io/vuln/SNYK-UNMANAGED-RAYSAN5RAYLIB-5421188

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2023-26123
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26123

History

Created	Old Value	New Value	Data Type	Notes
2023-04-17 04:42:37				Added to TrackCVE
2023-04-19 14:00:43	Awaiting Analysis	Undergoing Analysis	Vulnerability Status	updated
2023-04-21 04:01:00		2023-04-21T03:45:53	CVE Modified Date	updated
2023-04-21 04:01:00	Undergoing Analysis	Analyzed	Vulnerability Status	updated
2023-04-21 04:01:02			Weakness Enumeration	new
2023-04-21 04:01:04			CPE Information	updated