← back
CVE-2024-23168

CVE-2024-23168

CVSS 9.8 CRITICALEPSS 0.4%CWE-1385
In short

XSOverlay before build 647 allows websites you visit to send harmful commands through its WebSocket API, potentially letting them run any code on your computer. This is critical because it bypasses the application's security boundaries.

Technical detail

Improper access control in XSOverlay's WebSocket API (CWE-1385) permits unauthenticated remote code execution from any non-local website. Attack vector is network-based, requiring only user interaction to visit a malicious website while XSOverlay is running; impact is arbitrary code execution with application privileges.

Summary generated and translated by AI from the official description.
Vulnerability in Xiexe XSOverlay before build 647 allows non-local websites to send the malicious commands to the WebSocket API, resulting in the arbitrary code execution.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
n/a · n/a

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/Xiexe/XSOverlay-Issue-Trackerhttps://store.steampowered.com/news/app/1173510?emclan=103582791465938574&emgid=7792991106417394332https://vuln.ryotak.net/advisories/70