CVE-2023-27472

HIGH

quickentity_editor < 1.28.1 - Stored Cross-Site Scripting via Entity Name HTML Tag Injection

Title source: llm
STIX 2.1

Description

quickentity-editor-next is an open source, system local, video game asset editor. In affected versions HTML tags in entity names are not sanitised (XSS vulnerability). Allows arbitrary code execution within the browser sandbox, among other things, simply from loading a file containing a script tag in any entity name. This issue has been patched in version 1.28.1 of the application. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Scores

CVSS v3 8.2
EPSS 0.0032
EPSS Percentile 24.2%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-79
Status published
Products (1)
quickentity_editor_project/quickentity_editor < 1.28.1
Published Mar 06, 2023
Tracked Since Feb 18, 2026