Quake 3 Engine

Submit a proposal Propose CVE/GCVE/GHSA reference

Approved changes feed: RSS · Atom

cpe:2.3:a:id_software:quake_3_engine:icculus_804:*:*:*:*:*:*:*

part: a version: icculus_804 update: *

VendorId Software (b3578cac-594e-5b0b-a037-8ea975d8ca14)
ProductQuake 3 Engine (6941fc15-33b3-5605-b3c0-56a2fcf3ac47)
Edition*
Language*
Software edition*
Target software*
Target hardware*
Other*
NotesImported from purl2cpe mapping

PURL mappings

PURLSourceLast updated
pkg:bitbucket/gholts/quake-iii-arena purl2cpe 2026-06-01 10:15:48.722295
pkg:github/id-software/quake-iii-arena purl2cpe 2026-06-01 10:15:48.722297

Vulnerability references

IdentifiercpeApplicabilitySubmitteddb.gcve.eu detailsRationale
CVE:CVE-2006-3325 vulnerable 2026-06-03 14:27:34.652303 Details available
client/cl_parse.c in the id3 Quake 3 Engine 1.32c and the Icculus Quake 3 Engine (ioquake3) revision 810 and earlier allows remote malicious servers to overwrite arbitrary write-protected cvars variables on the client, such as cl_allowdownload for Automatic Downloading and fs_homepath for the quake3 path, via a string of cvar names and values sent from the server. NOTE: this can be combined with another vulnerability to overwrite arbitrary files.
Published: 2006-06-30T23:00:00.000Z
Updated: 2024-08-07T18:23:21.197Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2006-3324 vulnerable 2026-06-03 14:27:34.651702 Details available
The Automatic Downloading option in the id3 Quake 3 Engine and the Icculus Quake 3 Engine (ioquake3) before revision 804 allows remote attackers to overwrite arbitrary files in the quake3 directory (fs_homepath cvar) via a long string of filenames, as contained in the neededpaks buffer.
Published: 2006-06-30T23:00:00.000Z
Updated: 2024-08-07T18:23:21.067Z
Reference links
Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.