CVE-2021-33501 - Overwolf 1-Click Remote Code Execution
SwordBytes researchers have identified an Unauthenticated Remote Code Execution (RCE) vulnerability in Overwolf’s Client Application by abusing a Reflected Cross-Site Scripting (XSS) issue present in the “overwolfstore://" URL handler. This vulnerability allows remote unauthenticated attackers to execute arbitrary commands on the underlying operating system that hosts Overwolf’s Client Application. By combining the XSS issue with a Chromium Embedded Framework (CEF) sandbox escape, it is possible for attackers to achieve Remote Code Execution on the victim’s computer.
This has been recorded as CVE-2021-33501
Web: https://swordbytes.com/
Twitter: / swordbytessec