CVE-2011-3012

2011-08-0920:55:00

CWE-20

[email protected]

web.nvd.nist.gov

ioquake3

engine

remote attackers

arbitrary code

crafted

addon

nvd

cve-2011-3012

10 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

7.4 High

AI Score

Confidence

Low

0.108 Low

EPSS

Percentile

95.1%

JSON

The ioQuake3 engine, as used in World of Padman 1.2 and earlier, Tremulous 1.1.0, and ioUrbanTerror 2007-12-20, does not check for dangerous file extensions before writing to the quake3 directory, which allows remote attackers to execute arbitrary code via a crafted third-party addon that creates a Trojan horse DLL file, a different vulnerability than CVE-2011-2764.

Affected configurations

NVD

Node

ioquake3ioquake3_engine

tremuloustremulousMatch1.1.0

urbanterroriourbanterrorMatch2007-12-20

worldofpadmanworld_of_padmanRange≤1.2

CPENameOperatorVersion
ioquake3:ioquake3_engineioquake3 ioquake3 engineeq*
tremulous:tremuloustremulouseq1.1.0
urbanterror:iourbanterrorurbanterror iourbanterroreq2007-12-20
worldofpadman:world_of_padmanworldofpadman world of padmanle1.2

CPE	Name	Operator	Version
ioquake3:ioquake3_engine	ioquake3 ioquake3 engine	eq	*
tremulous:tremulous	tremulous	eq	1.1.0
urbanterror:iourbanterror	urbanterror iourbanterror	eq	2007-12-20
worldofpadman:world_of_padman	worldofpadman world of padman	le	1.2