PT-2009-4465 · Mozilla+1 · Firefox+1

Diego Juarez

Publicado

2009-06-16

Atualizado

2024-02-14

CVE-2009-2011

CVSS v2.0

9.3

Alta

Vetor

AV:N/AC:M/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions: Worldweaver DX Studio Player versions prior to 3.0.29.1

Description: The issue allows remote attackers to execute arbitrary commands via a .dxstudio file that invokes the shell.execute JavaScript API method, due to a lack of access restriction to this method when the player is used as a plug-in for Firefox.

Recommendations: For versions prior to 3.0.29.1, consider disabling the shell.execute JavaScript API method as a temporary workaround until a patch is available. Restrict access to .dxstudio files that may invoke this method to minimize the risk of exploitation.

Exploit

Correção

OS Command Injection

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-78

Identificadores relacionados

CVE-2009-2011

Produtos afetados

Firefox

Worldweaver Dx Studio Player

PT-2009-4465 · Mozilla+1 · Firefox+1

CVE-2009-2011

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 11