CVE-2024-42366 CRITICAL

CVE-2024-42366: VR Overlay RCE

Vendor Vrcx-Team
Product VRCX
Weakness CWE-79 · XSS
Published August 8, 2024
Last update August 9, 2024

CVSS base score

9.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

VRCX is an assistant/companion application for VRChat. In versions prior to 2024.03.23, a CefSharp browser with over-permission and cross-site scripting via overlay notification can be combined to result in remote command execution. These vulnerabilities are patched in VRCX 2023.12.24. In addition to the patch, VRCX maintainers worked with the VRC team and blocked the older version of VRCX on the VRC's API side. Users who use the older version of VRCX must update their installation to continue using VRCX.

Key dates

02Disclosure timeline

August 8, 2024 CVE published
August 9, 2024 Record updated