CVE-2010-4388

medium

Description

The (1) Upsell.htm, (2) Main.html, and (3) Custsupport.html components in RealNetworks RealPlayer 11.0 through 11.1, RealPlayer SP 1.0 through 1.1.5, and RealPlayer Enterprise 2.1.2 and 2.1.3 allow remote attackers to inject code into the RealOneActiveXObject process, and consequently bypass intended Local Machine Zone restrictions and load arbitrary ActiveX controls, via unspecified vectors.

References

http://www.zerodayinitiative.com/advisories/ZDI-10-278

http://www.zerodayinitiative.com/advisories/ZDI-10-277

http://www.zerodayinitiative.com/advisories/ZDI-10-276

http://www.securitytracker.com/id?1024861

http://service.real.com/realplayer/security/12102010_player/en/

http://osvdb.org/69859

http://osvdb.org/69858

http://osvdb.org/69857

Details

Source: Mitre, NVD

Published: 2010-12-14

Updated: 2011-01-19

Risk Information

CVSS v2

Base Score: 4.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

Severity: Medium

CVSS v3

Base Score: 6.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Severity: Medium