CVE-2020-11722
CRITICALDungeon Crawl Stone Soup < 0.25 - Unrestricted File Upload
Title source: ruleDescription
Dungeon Crawl Stone Soup (aka DCSS or crawl) before 0.25 allows remote attackers to execute arbitrary code via Lua bytecode embedded in an uploaded .crawlrc file.
References (6)
Core 6
Core References
Patch, Third Party Advisory x_refsource_misc
https://dpmendenhall.blogspot.com/2020/03/dungeon-crawl-stone-soup.html
Patch, Third Party Advisory x_refsource_misc
https://github.com/crawl/crawl/commit/768f60da87a3fa0b5561da5ade9309577c176d04
Patch, Third Party Advisory x_refsource_misc
https://github.com/crawl/crawl/commit/fc522ff6eb1bbb85e3de60c60a45762571e48c28
Mailing List vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00037.html
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XNXK7QE7EA7XSDDNOWX2A6MJNWOIYCTC/
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QLPN635S7J3MUXLIHYK6MDAHEIASFYP/
Scores
CVSS v3
9.8
EPSS
0.0365
EPSS Percentile
87.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-434
Status
published
Products (1)
dungeon_crawl_stone_soup_project/dungeon_crawl_stone_soup
< 0.25
Published
Apr 12, 2020
Tracked Since
Feb 18, 2026