The FS_CheckFilenameIsNotExecutable function in qcommon/files.c in the ioQuake3 engine 1.36 and previous versions, as used in World of Padman, Smokin' Guns, OpenArena, Tremulous, and ioUrbanTerror, does not properly determine dangerous file extensions, which allows remote malicious users to execute arbitrary code via a crafted third-party addon that creates a Trojan horse DLL file.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
urbanterror iourbanterror |
||
ioquake3 ioquake3 engine 1.36 |
||
tremulous tremulous |
||
ioquake3 ioquake3 engine |
||
smokin-guns smokin' guns |
||
worldofpadman world of padman |
||
openarena openarena |