Valve has reportedly fixed an HTML injection flaw in CS2 that was heavily abused today to inject images into games and obtain other players’ IP addresses.
As part of the design layout, developers can configure input fields to accept HTML rather than sanitize it to a regular string. If the field enabled HTML, any inputted text would be rendered on output as HTML.
Today, Counter-Strike users began reporting that users were abusing an HTML injection flaw to inject images into the kick voting panel.
While the flaw was abused mostly for harmless fun, others used it to obtain the IP addresses of other gamers in the match.
This was done by using the <img> tag to open a remote IP logger script that caused the IP address for every player who saw the vote kick to be logged.
These IP addresses could be used maliciously, such as launching DDoS attacks to force players to disconnect from the match.
This afternoon, Valve released a small 7MB update that reportedly fixes the vulnerability and causes any inputted HTML to be sanitized to a regular string.
For example, once the patch is installed, instead of injected HTML being rendered by the user interface, it would just be displayed as a string, as demonstrated below.
BleepingComputer contacted Valve to confirm if this update fixed the exploit but has not received a response.
In 2019, a similar, but more serious, bug was found in Counter-Strike: Global Offensive’s Panorama UI that allowed HTML to be injected via the kick feature.