CVE-2009-4148

Name of the Vulnerable Software and Affected Versions DAZ Studio versions 2.3.3.161 through 2.3.3.163, version 3.0.1.135

Description The issue allows remote attackers to execute arbitrary JavaScript code via certain file types, including .ds, .dsa, .dse, and .dsb files. This is related to a script injection issue, which can be demonstrated by loading the WScript.Shell ActiveX control.

Recommendations For versions 2.3.3.161 through 2.3.3.163, and version 3.0.1.135, consider restricting the use of .ds, .dsa, .dse, and .dsb files to minimize the risk of exploitation. Avoid using these file types until a patch is available. As a temporary workaround, consider disabling the execution of JavaScript code in DAZ Studio until a fix is provided.