CVE-2011-3642

Cross-site scripting (XSS) vulnerability in Flowplayer Flash 3.2.7 through 3.2.16, as used in the News system (news) extension for TYPO3 and Mahara, allows remote attackers to inject arbitrary web script or HTML via the plugin configuration directive in a reference to an external domain plugin.

Published: Feb 8, 2020
Updated: Apr 13, 2023
CVE: CVE-2011-3642
Severity: Critical
Exploit:

CVSS v3:

Severity: Critical
Score: 9.6
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CVSS v2:

Severity: Medium
Score: 6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
flowplayer / flowplayer_flash	3.2.7	3.2.16.x

http://appsec.ws/Presentations/FlashFlooding.pdf
http://secunia.com/advisories/52074
http://secunia.com/advisories/54206
http://secunia.com/advisories/58854
http://typo3.org/teams/security/security-bulletins/typo3-extensions/typo3-ext-sa-2014-009
http://web.appsec.ws/FlashExploitDatabase.php
https://bugs.launchpad.net/mahara/+bug/1103748
https://code.google.com/p/flowplayer-core/issues/detail?id=441
https://mahara.org/interaction/forum/topic.php?id=5237
https://www.securityfocus.com/bid/48651

Vulnerability Database

290,206

CVE-2011-3642