CVE-2010-4388
The (1) Upsell.htm, (2) Main.html, and (3) Custsupport.html components in RealNetworks RealPlayer 11.0 through 11.1, RealPlayer SP 1.0 through 1.1.5, and RealPlayer Enterprise 2.1.2 and 2.1.3 allow remote attackers to inject code into the RealOneActiveXObject process, and consequently bypass intended Local Machine Zone restrictions and load arbitrary ActiveX controls, via unspecified vectors.
| Software | From | Fixed in |
|---|---|---|
| realnetworks / realplayer | 11.0 | 11.0.x |
| realnetworks / realplayer | 11.0.4 | 11.0.4.x |
| realnetworks / realplayer | 11.0.2 | 11.0.2.x |
| realnetworks / realplayer | 11.0.3 | 11.0.3.x |
| realnetworks / realplayer | 11.0.5 | 11.0.5.x |
| realnetworks / realplayer | 11.1 | 11.1.x |
| realnetworks / realplayer | 11.0.1 | 11.0.1.x |
| realnetworks / realplayer_sp | 1.0.1 | 1.0.1.x |
| realnetworks / realplayer_sp | 1.1.5 | 1.1.5.x |
| realnetworks / realplayer_sp | 1.1.3 | 1.1.3.x |
| realnetworks / realplayer_sp | 1.0.0 | 1.0.0.x |
| realnetworks / realplayer_sp | 1.0.2 | 1.0.2.x |
| realnetworks / realplayer_sp | 1.1 | 1.1.x |
| realnetworks / realplayer_sp | 1.1.2 | 1.1.2.x |
| realnetworks / realplayer_sp | 1.1.4 | 1.1.4.x |
| realnetworks / realplayer_sp | 1.1.1 | 1.1.1.x |
| realnetworks / realplayer_sp | 1.0.5 | 1.0.5.x |
| realnetworks / realplayer | 2.1.3 | 2.1.3.x |
| realnetworks / realplayer | 2.1.2 | 2.1.2.x |
- http://osvdb.org/69857
- http://osvdb.org/69858
- http://osvdb.org/69859
- http://service.real.com/realplayer/security/12102010_player/en/
- http://www.securitytracker.com/id?1024861
- http://www.zerodayinitiative.com/advisories/ZDI-10-276
- http://www.zerodayinitiative.com/advisories/ZDI-10-277
- http://www.zerodayinitiative.com/advisories/ZDI-10-278
Deep Security Visibility Without the Complexity
SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.
- No setup fees
- 5-min deployment
- Cancel anytime