CVE-2024-21625
HIGHSideQuest < 0.10.35 - Remote Code Execution via Deep Link URL Sanitization Bypass
Title source: llmDescription
SideQuest is a place to get virtual reality applications for Oculus Quest. The SideQuest desktop application uses deep links with a custom protocol (`sidequest://`) to trigger actions in the application from its web contents. Because, prior to version 0.10.35, the deep link URLs were not sanitized properly in all cases, a one-click remote code execution can be achieved in cases when a device is connected, the user is presented with a malicious link and clicks it from within the application. As of version 0.10.35, the custom protocol links within the electron application are now being parsed and sanitized properly.
References (1)
Core 1
Core References
Vendor Advisory x_refsource_confirm
https://github.com/SideQuestVR/SideQuest/security/advisories/GHSA-3v86-cf9q-x4x7
Scores
CVSS v3
8.8
EPSS
0.0084
EPSS Percentile
53.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-20
Status
published
Products (1)
sidequestvr/sidequest
< 0.10.35
Published
Jan 04, 2024
Tracked Since
Feb 18, 2026