client/cl_parse.c in the id3 Quake 3 Engine 1.32c and the Icculus Quake 3 Engine (ioquake3) revision 810 and earlier allows remote malicious servers to overwrite arbitrary write-protected cvars variables on the client, such as cl_allowdownload for Automatic Downloading and fs_homepath for the quake3 path, via a string of cvar names and values sent from the server. NOTE: this can be combined with another vulnerability to overwrite arbitrary files.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Quake_3_engine | Id_software | * | * |
| Quake_3_engine | Id_software | 1.32b (including) | 1.32b (including) |
| Quake_3_engine | Id_software | 1.32c (including) | 1.32c (including) |
| Quake_3_engine | Id_software | icculus_803 (including) | icculus_803 (including) |
| Quake_3_engine | Id_software | icculus_804 (including) | icculus_804 (including) |
| Quake_3_engine | Id_software | icculus_805 (including) | icculus_805 (including) |
| Quake_3_engine | Id_software | icculus_806 (including) | icculus_806 (including) |
| Quake_3_engine | Id_software | icculus_807 (including) | icculus_807 (including) |
| Quake_3_engine | Id_software | icculus_808 (including) | icculus_808 (including) |
| Quake_3_engine | Id_software | icculus_809 (including) | icculus_809 (including) |
| Quake_3_engine | Id_software | icculus_810 (including) | icculus_810 (including) |