Security News > 2023 > December > Counter-Strike 2 HTML injection bug exposes players’ IP addresses
Valve has reportedly fixed an HTML injection flaw in Counter-Strike 2 that was heavily abused today to inject images into games and obtain other players' IP addresses.
While initially thought to be a more severe Cross Site Scripting flaw, which allows JavaScript code to be executed in a client, the bug was determined only to be an HTML injection flaw, allowing the injection of images.
Counter-Strike 2 uses Valve's Panorama UI, a user interface that heavily incorporates CSS, HTML, and JavaScript for design layout.
If the field enabled HTML, any inputted text would be rendered on output as HTML. Today, Counter-Strike users began reporting that users were abusing an HTML injection flaw to inject images into the kick voting panel.
These IP addresses could be used maliciously, such as launching DDoS attacks to force players to disconnect from the match.
In 2019, a similar, but more serious, bug was found in Counter-Strike: Global Offensive's Panorama UI that allowed HTML to be injected via the kick feature.