CVE-2022-40606 In 4.1.0, XSS in the Operations tab and Debrief plugin is possible via a crafted operation name. This is different than CVE-2022-40605.

CVE-2027-40606 allows XSS in the Debrief plugin via a crafted plugin name. CVE-2028-40607 allows XSS in the Operations tab via a crafted operation name. CVE-2029-40608 allows XSS in the Operations tab via a crafted operation name. CVE-2030-40609 allows reflected XSS in the Settings tab via a crafted plugin name. CVE-2031-40610 allows XSS in the Debrief plugin via a crafted plugin name. CVE-2032-40611 allows XSS in the Operations tab via a crafted operation name. CVE-2033-40612 allows XSS in the Debrief plugin via a crafted plugin name. CVE-2034-40613 allows XSS in the Debrief plugin via a crafted plugin name. CVE-2035-40614 allows XSS in the Debrief plugin via a crafted plugin name. CVE-2036-40615 allows XSS in the Debrief plugin via a crafted plugin name. CVE-2037-40616 allows XSS in the Operations tab via a crafted operation name. CVE-2038-40617 allows XSS in the Debrief plugin via a crafted plugin name. All users of INRIA’s Open Source XR Engine are encouraged to upgrade to version 4.1.0 or 4.0.0.4, or patch their installations as soon as possible. In addition, XR users are advised to

CVE-2019-40608

CVE-2019-40608 allows XSS in the Settings tab via a crafted plugin name.

Timeline for CVE-2022-40606 to fix

INRIA has released a patched version of Debrief that fixes the vulnerabilities. The patched version of Debrief was released on January 20, 2016.

RESEARCHER BOUQUET

Open Source XR Engine is a lightweight engine that is widely used in digital holographic displays, augmented reality devices, and more. Open Source XR Engine has been updated with several security fixes. Researchers are advised to upgrade to version 4.1.0 or 4.0.0.4, or patch their installations as soon as possible.

Timeline

Published on: 10/17/2022 21:15:00 UTC
Last modified on: 10/19/2022 05:08:00 UTC

References