CVE-2010-4388

Name of the Vulnerable Software and Affected Versions RealPlayer versions 11.0 through 11.1 RealPlayer SP versions 1.0 through 1.1.5 RealPlayer Enterprise versions 2.1.2 through 2.1.3

Description The issue allows remote attackers to inject code into the RealOneActiveXObject process, bypassing intended Local Machine Zone restrictions and loading arbitrary ActiveX controls. This is achieved via unspecified vectors in the Upsell.htm, Main.html, and Custsupport.html components.

Recommendations For RealPlayer versions 11.0 through 11.1, update to a version outside of this range to mitigate the risk. For RealPlayer SP versions 1.0 through 1.1.5, update to a version outside of this range to mitigate the risk. For RealPlayer Enterprise versions 2.1.2 through 2.1.3, update to a version outside of this range to mitigate the risk. As a temporary workaround, consider restricting access to the Upsell.htm, Main.html, and Custsupport.html components until a patch is available.