CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Valvesoftware : Security Vulnerabilities

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2021-30481 120 Exec Code Overflow 2021-04-10 2021-04-21
6.0
None Remote Medium ??? Partial Partial Partial
Valve Steam through 2021-04-10, when a Source engine game is installed, allows remote authenticated users to execute arbitrary code because of a buffer overflow that occurs for a Steam invite after one click.
2 CVE-2020-15530 269 +Priv 2020-07-05 2021-07-21
7.2
None Local Low Not required Complete Complete Complete
An issue was discovered in Valve Steam Client 2.10.91.91. The installer allows local users to gain NT AUTHORITY\SYSTEM privileges because some parts of %PROGRAMFILES(X86)%\Steam and/or %COMMONPROGRAMFILES(X86)%\Steam have weak permissions during a critical time window. An attacker can make this time window arbitrarily long by using opportunistic locks.
3 CVE-2020-12242 269 +Priv 2020-04-27 2021-07-21
7.2
None Local Low Not required Complete Complete Complete
Valve Source allows local users to gain privileges by writing to the /tmp/hl2_relaunch file, which is later executed in the context of a different user account.
4 CVE-2020-7952 DoS Exec Code Mem. Corr. 2020-01-27 2020-01-29
6.8
None Remote Medium Not required Partial Partial Partial
rendersystemdx9.dll in Valve Dota 2 before 7.23f allows remote attackers to achieve code execution or denial of service by creating a gaming server and inviting a victim to this server, because a crafted map is affected by memory corruption.
5 CVE-2020-7951 DoS Exec Code Mem. Corr. 2020-01-27 2021-07-21
6.8
None Remote Medium Not required Partial Partial Partial
meshsystem.dll in Valve Dota 2 before 7.23e allows remote attackers to achieve code execution or denial of service by creating a gaming server and inviting a victim to this server, because a crafted map is affected by memory corruption.
6 CVE-2020-7950 DoS Exec Code 2020-01-27 2020-01-27
6.8
None Remote Medium Not required Partial Partial Partial
meshsystem.dll in Valve Dota 2 before 7.23f allows remote attackers to achieve code execution or denial of service by creating a gaming server and inviting a victim to this server, because a crafted map is mishandled during a vulnerable function call.
7 CVE-2020-7949 DoS Exec Code 2020-01-27 2020-01-27
6.8
None Remote Medium Not required Partial Partial Partial
schemasystem.dll in Valve Dota 2 before 7.23f allows remote attackers to achieve code execution or denial of service by creating a gaming server and inviting a victim to this server, because a crafted map is mishandled during a GetValue call.
8 CVE-2020-6019 2020-11-13 2020-12-10
5.0
None Remote Low Not required None None Partial
Valve's Game Networking Sockets prior to version v1.2.0 improperly handles inlined statistics messages in function CConnectionTransportUDPBase::Received_Data(), leading to an exception thrown from libprotobuf and resulting in a crash.
9 CVE-2020-6018 787 Exec Code Overflow Mem. Corr. 2020-12-02 2020-12-11
7.5
None Remote Low Not required Partial Partial Partial
Valve's Game Networking Sockets prior to version v1.2.0 improperly handles long encrypted messages in function AES_GCM_DecryptContext::Decrypt() when compiled using libsodium, leading to a Stack-Based Buffer Overflow and resulting in a memory corruption and possibly even a remote code execution.
10 CVE-2020-6017 787 Exec Code Overflow Mem. Corr. 2020-12-03 2020-12-11
7.5
None Remote Low Not required Partial Partial Partial
Valve's Game Networking Sockets prior to version v1.2.0 improperly handles long unreliable segments in function SNP_ReceiveUnreliableSegment() when configured to support plain-text messages, leading to a Heap-Based Buffer Overflow and resulting in a memory corruption and possibly even a remote code execution.
11 CVE-2020-6016 787 Exec Code Mem. Corr. 2020-11-18 2020-12-10
10.0
None Remote Low Not required Complete Complete Complete
Valve's Game Networking Sockets prior to version v1.2.0 improperly handles unreliable segments with negative offsets in function SNP_ReceiveUnreliableSegment(), leading to a Heap-Based Buffer Underflow and a free() of memory not from the heap, resulting in a memory corruption and probably even a remote code execution.
12 CVE-2019-15944 116 2019-09-05 2019-09-09
5.0
None Remote Low Not required None Partial None
In Counter-Strike: Global Offensive before 8/29/2019, community game servers can display unsafe HTML in a disconnection message.
13 CVE-2019-15943 787 DoS Exec Code 2019-09-19 2020-08-24
6.8
None Remote Medium Not required Partial Partial Partial
vphysics.dll in Counter-Strike: Global Offensive before 1.37.1.1 allows remote attackers to achieve code execution or denial of service by creating a gaming server and inviting a victim to this server, because a crafted map is mishandled during a memset call.
14 CVE-2018-12270 20 2019-05-20 2019-05-21
5.8
None Remote Medium Not required Partial Partial None
In Valve Steam 1528829181 BETA, it is possible to perform a homograph / homoglyph attack to create fake URLs in the client, which may trick users into visiting unintended web sites.
15 CVE-2016-5237 264 +Priv 2017-01-23 2017-09-07
1.9
None Local Medium Not required None Partial None
Valve Steam 3.42.16.13 uses weak permissions for the files in the Steam program directory, which allows local users to modify the files and possibly gain privileges as demonstrated by a Trojan horse Steam.exe file.
16 CVE-2013-7128 310 +Info 2013-12-17 2013-12-18
2.1
None Local Low Not required Partial None None
Valve Bug Reporter in the valve-bugreporter package 2.10+bsos1 in Valve SteamOS Beta stores cleartext credentials in a .valve-bugreporter.cfg file upon a Remember Credentials action, which allows local users to obtain sensitive information by reading this file.
17 CVE-2008-7203 399 DoS 2009-09-11 2017-10-11
5.0
None Remote Low Not required None None Partial
Valve Software Half-Life Counter-Strike 1.6 allows remote attackers to cause a denial of service (crash) via multiple crafted login packets.
Total number of vulnerabilities : 17   Page : 1 (This Page)
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.