CVE-2007-4983

Name of the Vulnerable Software and Affected Versions jetAudio versions 7.0.3 through 7.0.3.3016

Description The issue allows remote attackers to create or overwrite arbitrary local files via a .. (dot dot backslash) in the second argument to the DownloadFromMusicStore method. This can be leveraged for code execution by overwriting JetAudio.exe, which is launched by the control after completion of the method call.

Recommendations For versions 7.0.3 through 7.0.3.3016, consider disabling the DownloadFromMusicStore method until a patch is available to prevent exploitation. Restrict access to the JetAudio.Interface.1 ActiveX control in JetFlExt.dll to minimize the risk of arbitrary file creation or overwrite.