Counter-Strike 2 HTML injection bug exposes players' IP addresses

Valve has reportedly fixed an HTML injection flaw in Counter-Strike 2 that was heavily abused today to inject images into games and obtain other players' IP addresses.
While initially thought to be a more severe Cross Site Scripting flaw, which allows JavaScript code to be executed in a client, the bug was determined only to be an HTML injection flaw, allowing the injection of images.
Counter-Strike 2 uses Valve's Panorama UI, a user interface that heavily incorporates CSS, HTML, and JavaScript for design layout.
As part of the design layout, developers can configure input fields to accept HTML rather than sanitize it to a regular string.
If the field enabled HTML, any inputted text would be rendered on output as HTML. Today, Counter-Strike users began reporting that users were abusing an HTML injection flaw to inject images into the kick voting panel.
While the flaw was abused mostly for harmless fun, others used it to obtain the IP addresses of other gamers in the match.
This was done by using the tag to open a remote IP logger script that caused the IP address for every player who saw the vote kick to be logged.
These IP addresses could be used maliciously, such as launching DDoS attacks to force players to disconnect from the match.
This afternoon, Valve released a small 7MB update that reportedly fixes the vulnerability and causes any inputted HTML to be sanitized to a regular string.
Once the patch is installed, instead of injected HTML being rendered by the user interface, it would just be displayed as a string, as demonstrated below.
BleepingComputer contacted Valve to confirm if this update fixed the exploit but has not received a response.
In 2019, a similar, but more serious, bug was found in Counter-Strike: Global Offensive's Panorama UI that allowed HTML to be injected via the kick feature.
In that particular case, it could also be used to launch JavaScript, causing it to be a far more critical XSS vulnerability that could be used to execute commands remotely.
Privilege elevation exploits used in over 50% of insider attacks.
RCE exploit for Wyze Cam v3 publicly released, patch now.
New 5Ghoul attack impacts 5G phones with Qualcomm, MediaTek chips.
WordPress fixes POP chain exposing websites to RCE attacks.
Atlassian patches critical RCE flaws across multiple products.


This Cyber News was published on www.bleepingcomputer.com. Publication date: Mon, 11 Dec 2023 20:10:13 +0000


Cyber News related to Counter-Strike 2 HTML injection bug exposes players' IP addresses