Skip to content

Malicious users can take over the session of other players

Critical
LoboMetalurgico published GHSA-4fv9-g2jh-j5xm Mar 24, 2022

Package

geon

Affected versions

<= 1.0.0

Patched versions

1.1.0

Description

Impact

Malicious users can easily get the uuid from other users, and passing it in a specific command in the browser console changes their own uuid to the target, making both users own the same session.

Patches

Anyone hosting the game should immediately switch to version 1.1.0, which already has the fix for this vulnerability, in addition to other important fixes.

For more information

If you have any questions or comments about this advisory:

Severity

Critical

CVE ID

CVE-2022-24781

Weaknesses

No CWEs

Credits