Vulnerabilities > Valvesoftware > Steam Client

DATE CVE VULNERABILITY TITLE RISK
2021-04-10 CVE-2021-30481 Classic Buffer Overflow vulnerability in Valvesoftware Steam Client
Valve Steam through 2021-04-10, when a Source engine game is installed, allows remote authenticated users to execute arbitrary code because of a buffer overflow that occurs for a Steam invite after one click.
6.0
2020-07-05 CVE-2020-15530 Improper Privilege Management vulnerability in Valvesoftware Steam Client 2.10.91.91
An issue was discovered in Valve Steam Client 2.10.91.91.
local
low complexity
valvesoftware CWE-269
7.2
2019-10-04 CVE-2019-17180 Path Traversal vulnerability in Valvesoftware Steam Client
Valve Steam Client before 2019-09-12 allows placing or appending partially controlled filesystem content, as demonstrated by file modifications on Windows in the context of NT AUTHORITY\SYSTEM.
local
low complexity
valvesoftware CWE-22
7.2
2019-08-21 CVE-2019-15316 Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Valvesoftware Steam Client
Valve Steam Client for Windows through 2019-08-20 has weak folder permissions, leading to privilege escalation (to NT AUTHORITY\SYSTEM) via crafted use of CreateMountPoint.exe and SetOpLock.exe to leverage a TOCTOU race condition.
6.9
2019-08-21 CVE-2019-15315 Incorrect Permission Assignment for Critical Resource vulnerability in Valvesoftware Steam Client
Valve Steam Client for Windows through 2019-08-16 allows privilege escalation (to NT AUTHORITY\SYSTEM) because local users can replace the current versions of SteamService.exe and SteamService.dll with older versions that lack the CVE-2019-14743 patch.
local
low complexity
valvesoftware microsoft CWE-732
7.2
2019-08-07 CVE-2019-14743 Incorrect Permission Assignment for Critical Resource vulnerability in Valvesoftware Steam Client
In Valve Steam Client for Windows through 2019-08-07, HKLM\SOFTWARE\Wow6432Node\Valve\Steam has explicit "Full control" for the Users group, which allows local users to gain NT AUTHORITY\SYSTEM access.
local
low complexity
valvesoftware microsoft CWE-732
7.2
2019-05-20 CVE-2018-12270 Improper Input Validation vulnerability in Valvesoftware Steam Client 1528829181
In Valve Steam 1528829181 BETA, it is possible to perform a homograph / homoglyph attack to create fake URLs in the client, which may trick users into visiting unintended web sites.
5.8
2015-11-24 CVE-2015-7985 Incorrect Default Permissions vulnerability in Valvesoftware Steam Client 2.10.91.91
Valve Steam 2.10.91.91 uses weak permissions (Users: read and write) for the Install folder, which allows local users to gain privileges via a Trojan horse steam.exe file.
local
low complexity
valvesoftware CWE-276
7.2
2015-05-20 CVE-2015-4016 Improper Input Validation vulnerability in Valvesoftware Steam Client 2.10.91.91
The client detection protocol in Valve Steam allows remote attackers to cause a denial of service (process crash) via a crafted response to a broadcast packet.
network
low complexity
valvesoftware CWE-20
5.0