CVE-2022-32270

In Real Player 20.0.7.309 and 20.0.8.310, external::Import() allows download of arbitrary file types and Directory Traversal, leading to Remote Code Execution. This occurs because it is possible to plant executables in the startup folder (DLL planting could also occur).

Published: Jun 3, 2022
Updated: Apr 14, 2023
CVE: CVE-2022-32270
Severity: Critical
Exploit:

CVSS v3:

Severity: Critical
Score: 9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: High
Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P

CWEs:

CWE-22

OWASP TOP 10:

A5 - Broken Access Control

Affected Software
References

Software	From	Fixed in
realnetworks / realplayer	20.0.8.310	20.0.8.310.x
realnetworks / realplayer	20.0.7.309	20.0.7.309.x

https://github.com/Edubr2020/RP_Import_RCE
https://youtu.be/CONlijEgDLc

Vulnerability Database

289,697

CVE-2022-32270