CVE-2010-4396:realplayer, realplayer_sp: Cross-zone scripting vulnerability in the HandleAct...

VRDA Feed by

Vulnerability Response Decision Assistance Feed : Information for vulnerability impact analysis

[ about VRDA Feed | JPCERT/CC ]

Vulnerability Analysis Result (Revision No : 1)

[ Download XML ]

CVE-2010-4396

realplayer, realplayer_sp: Cross-zone scripting vulnerability in the HandleAct...

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4396

Original

Cross-zone scripting vulnerability in the HandleAction method in a certain ActiveX control in RealNetworks RealPlayer 11.0 through 11.1, RealPlayer SP 1.0 through 1.1.5, and RealPlayer Enterprise 2.1.2 allows remote attackers to inject arbitrary web script or HTML in the Local Zone by specifying a local file in a NavigateToURL action, as demonstrated by a local skin file.

Translation (Show)

About This Analysis Information

Analysis Information Provider:

NIST NVD

First Published:

2010-12-14

Source Information Category:

Advisory, Alert

Last Updated:

2010-12-15

Affected Product Tags

cpe:/a:realnetworks:realplayer:11.0

cpe:/a:realnetworks:realplayer:11.0.1

cpe:/a:realnetworks:realplayer:11.0.2

cpe:/a:realnetworks:realplayer:11.0.3

cpe:/a:realnetworks:realplayer:11.0.4

cpe:/a:realnetworks:realplayer:11.0.5

cpe:/a:realnetworks:realplayer:11.1

cpe:/a:realnetworks:realplayer:2.1.2::enterprise

cpe:/a:realnetworks:realplayer_sp:1.0.0

cpe:/a:realnetworks:realplayer_sp:1.0.1

cpe:/a:realnetworks:realplayer_sp:1.0.2

cpe:/a:realnetworks:realplayer_sp:1.0.5

cpe:/a:realnetworks:realplayer_sp:1.1

cpe:/a:realnetworks:realplayer_sp:1.1.1

cpe:/a:realnetworks:realplayer_sp:1.1.2

cpe:/a:realnetworks:realplayer_sp:1.1.3

cpe:/a:realnetworks:realplayer_sp:1.1.4

cpe:/a:realnetworks:realplayer_sp:1.1.5

Vulnerability Analysis Results

[Access Vector] ^[?]

Undefined^[?]

Local^[?]

Adjacent Network^[?]

Network^[?]

[Access Complexit] ^[?]

Undefined^[?]

High^[?]

Medium^[?]

Low^[?]

[Authentication] ^[?]

Undefined^[?]

Multiple^[?]

Single^[?]

None^[?]

[Confidentiality Impact] ^[?]

Undefined^[?]

None^[?]

Partial^[?]

Complete^[?]

[Integrity Impact] ^[?]

Undefined^[?]

None^[?]

Partial^[?]

Complete^[?]

[Availability Impact] ^[?]

Undefined^[?]

None^[?]

Partial^[?]

Complete^[?]

Alternatives

References

CONFIRM http://service.real.com/realplayer/security/12102010_player/en/

MISC http://www.zerodayinitiative.com/advisories/ZDI-10-275

Vulnerability Type Input Validation (CWE-20)