CVE-2023-26123: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

April 14, 2023 (updated November 7, 2023)

Versions of the package raysan5/raylib before 4.5.0 is vulnerable to Cross-site Scripting (XSS) such that the SetClipboardText API does not properly escape the ’ character, allowing attacker-controlled input to break out of the string and execute arbitrary JavaScript via emscripten_run_script function. Note: This vulnerability is present only when compiling raylib for PLATFORM_WEB. All the other Desktop/Mobile/Embedded platforms are not affected.

References

github.com/raysan5/raylib/commit/b436c8d7e5346a241b00511a11585936895d959d
github.com/raysan5/raylib/issues/2954
github.com/raysan5/raylib/releases/tag/4.5.0
nvd.nist.gov/vuln/detail/CVE-2023-26123
security.snyk.io/vuln/SNYK-UNMANAGED-RAYSAN5RAYLIB-5421188

Code Behaviors & Features

Detect and mitigate CVE-2023-26123 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →