The FS_CheckFilenameIsNotExecutable function in qcommon/files.c in the ioQuake3 engine 1.36 and previous versions, as used in World of Padman, Smokin' Guns, OpenArena, Tremulous, and ioUrbanTerror, does not properly determine dangerous file extensions, which allows remote malicious users to execute arbitrary code via a crafted third-party addon that creates a Trojan horse DLL file.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
ioquake3 ioquake3 engine 1.36 |
||
worldofpadman world of padman |
||
tremulous tremulous |
||
urbanterror iourbanterror |
||
ioquake3 ioquake3 engine |
||
smokin-guns smokin\\' guns |
||
openarena openarena |