CVE-2023-27472 – This is a cross-site scripting (XSS) vulnerabil... (How to Fix)

Q: What is the severity of CVE-2023-27472?

CVE-2023-27472 has a CVSS score of 8.2 (HIGH). This is a cross-site scripting (XSS) vulnerability in quickentity-editor-next, a local video game asset editor. It allows attackers to execute arbitrary JavaScript code in the user's browser by loading files containing malicious HTML tags in entity names. All users running affected versions are vulnerable.

📋 TL;DR

This is a cross-site scripting (XSS) vulnerability in quickentity-editor-next, a local video game asset editor. It allows attackers to execute arbitrary JavaScript code in the user's browser by loading files containing malicious HTML tags in entity names. All users running affected versions are vulnerable.

💻 Affected Systems

Products:

quickentity-editor-next

Versions: All versions before 1.28.1

Operating Systems: Windows, Linux, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: This is a desktop application that runs locally, not a web service. Vulnerability triggers when loading malicious project files.

📦 What is this software?

Quickentity Editor by Quickentity Editor Project

View all CVEs affecting Quickentity Editor →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the user's system through browser-based attacks, including credential theft, malware installation, or data exfiltration via the browser sandbox.

🟠

Likely Case

Session hijacking, cookie theft, or malicious actions performed within the application context, potentially leading to further system compromise.

🟢

If Mitigated

Limited impact if browser security controls like Content Security Policy are enforced, though XSS could still enable phishing or limited data theft.

🌐 Internet-Facing: LOW

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires user interaction to load a malicious file, but no authentication is needed once the file is loaded.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.28.1

Vendor Advisory: https://github.com/atampy25/quickentity-editor-next/security/advisories/GHSA-22gc-rq5x-fxpw

Restart Required: Yes

Instructions:

1. Download version 1.28.1 or later from the official repository. 2. Uninstall the old version. 3. Install the new version. 4. Restart the application.

🔧 Temporary Workarounds

No known workarounds

all

The advisory states there are no known workarounds for this vulnerability.

🧯 If You Can't Patch

Avoid loading untrusted project files from unknown sources.
Use the application in a sandboxed environment or virtual machine to limit potential damage.

🔍 How to Verify

Check if Vulnerable:

Check the application version in the About menu or settings. If version is below 1.28.1, it is vulnerable.

Check Version:

Check the application's About dialog or settings panel for version information.

Verify Fix Applied:

After updating, verify the version shows 1.28.1 or higher in the application interface.

📡 Detection & Monitoring

Log Indicators:

Unusual file loading activity
JavaScript errors or unexpected script execution in application logs

Network Indicators:

Unexpected outbound connections from the application to external domains

SIEM Query:

Not applicable as this is a local desktop application without centralized logging by default.

📊 Metadata

CVE ID: CVE-2023-27472

CVSS v3 Score: 8.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

CWE: CWE-79

Published: March 6, 2023

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-27472, you might also want to check these: