CVE-2011-2764

high

Description

The FS_CheckFilenameIsNotExecutable function in qcommon/files.c in the ioQuake3 engine 1.36 and earlier, as used in World of Padman, Smokin' Guns, OpenArena, Tremulous, and ioUrbanTerror, does not properly determine dangerous file extensions, which allows remote attackers to execute arbitrary code via a crafted third-party addon that creates a Trojan horse DLL file.

References

https://security.gentoo.org/glsa/201706-23

https://exchange.xforce.ibmcloud.com/vulnerabilities/68870

http://www.securityfocus.com/bid/48915

http://www.securityfocus.com/archive/1/519051/100/0/threaded

http://thilo.tjps.eu/download/patches/ioq3-svn-r2098.diff

http://svn.icculus.org/quake3?view=rev&revision=2098

http://securityreason.com/securityalert/8324

http://secunia.com/advisories/45540

http://secunia.com/advisories/45539

http://lists.fedoraproject.org/pipermail/package-announce/2011-August/063460.html

Details

Source: Mitre, NVD

Published: 2011-08-04

Updated: 2018-10-09

Risk Information

CVSS v2

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Severity: Critical

CVSS v3

Base Score: 7.8

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Severity: High