December 11, 2023 at 03:11PM
Valve addressed an HTML injection flaw in Counter-Strike 2, allowing users to inject images and obtain IP addresses. The flaw was fixed in a 7MB update, preventing the rendering of inputted HTML and potentially malicious IP logging. This issue was similar to a more severe XSS vulnerability in Counter-Strike: Global Offensive in 2019.
It looks like there was an HTML injection flaw in Counter-Strike 2 that allowed players to inject images and obtain other players’ IP addresses. This flaw has been fixed with a small 7MB update released by Valve, which now sanitizes inputted HTML to a regular string. The exploit was reportedly abused by some users, causing IP addresses to be logged and potentially used maliciously, such as for DDoS attacks. A similar, more critical flaw was found in Counter-Strike: Global Offensive’s Panorama UI in 2019, which allowed for the execution of remote commands. This indicates a pattern of vulnerability in the Panorama UI that Valve has had to address. BleepingComputer reached out to Valve for confirmation on whether the update fixed the exploit, but has not received a response yet.