CVSS: 8.8EPSS: 1%CPEs: 1EXPL: 0CVE-2018-17707 – Epic Games Launcher Protocol Command Injection Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2018-17707
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Epic Games Launcher versions prior to 8.2.2. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handler for the com.epicgames.launcher protocol. A crafted URI with the com.epicgames.launcher protocol can trigger execution of a system call composed from a user-supplied string. An attacker can leverage this vulnerability to execute code in the context of the current user. • https://www.zerodayinitiative.com/advisories/ZDI-18-1359 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.3EPSS: 4%CPEs: 8EXPL: 2CVE-2010-2702
https://notcve.org/view.php?id=CVE-2010-2702
Buffer overflow in the UGameEngine::UpdateConnectingMessage function in the Unreal engine 1, 2, and 2.5, as used in multiple games including Unreal Tournament 2004, Unreal tournament 2003, Postal 2, Raven Shield, and SWAT4, when downloads are enabled, allows remote attackers to execute arbitrary code via a long LEVEL field in a WELCOME response to a download request. Un desbordamiento de búfer en la función UGameEngine::UpdateConnectingMessage en el motor de Unreal v1, v2 y v2.5, tal como se utiliza en múltiples juegos, incluyendo Unreal Tournament 2004, Unreal tournament 2003, Postal 2, Raven Shield y SWAT4, cuando las descargas están permitidas, permite ejecutar código arbitrario a atacantes remotos a través de un campo LEVEL demasiado largo en una respuesta WELCOME a una solicitud de descarga. • http://aluigi.altervista.org/adv/unrealcbof-adv.txt http://aluigi.org/poc/unrealcbof.txt http://osvdb.org/66039 http://secunia.com/advisories/40466 https://exchange.xforce.ibmcloud.com/vulnerabilities/60142 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 9.3EPSS: 0%CPEs: 3EXPL: 3CVE-2008-6441
https://notcve.org/view.php?id=CVE-2008-6441
Format string vulnerability in the Epic Games Unreal engine client, as used in multiple games, allows remote servers to execute arbitrary code via (1) the CLASS parameter in a DLMGR command, (2) a malformed package (PKG), and possibly (3) the LEVEL parameter in a WELCOME command. Una vulnerabilidad de formato de cadena en el motor del cliente de Epic Games Unreal, cuando se utiliza en múltiples juegos, permite a servidores remotos ejecutar código arbitrariamente a través de (1) el parámetro "CLASS" en el comando DLMGR, (2) un paquete malformado (PKG), y posiblemente (3) el parámetro "LEVEL" en el comando WELCOME. • http://aluigi.altervista.org/adv/unrealcfs-adv.txt http://archives.neohapsis.com/archives/fulldisclosure/2008-09/0190.html http://secunia.com/advisories/31854 http://www.osvdb.org/48290 http://www.osvdb.org/48291 http://www.securityfocus.com/archive/1/496297/100/0/threaded http://www.securityfocus.com/bid/31141 https://exchange.xforce.ibmcloud.com/vulnerabilities/45088 https://exchange.xforce.ibmcloud.com/vulnerabilities/45089 https://exchange.xforce.ibmcloud.com/vulnerabilities/45090 • CWE-134: Use of Externally-Controlled Format String •