CVE-2010-4396: Input Validation
First published: Tue Dec 14 2010(Updated: )
Cross-zone scripting vulnerability in the HandleAction method in a certain ActiveX control in RealNetworks RealPlayer 11.0 through 11.1, RealPlayer SP 1.0 through 1.1.5, and RealPlayer Enterprise 2.1.2 allows remote attackers to inject arbitrary web script or HTML in the Local Zone by specifying a local file in a NavigateToURL action, as demonstrated by a local skin file.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| RealPlayer | =11.0 | |
| RealPlayer | =11.0.4 | |
| RealPlayer | =11.0.2 | |
| RealPlayer | =11.0.3 | |
| RealPlayer | =11.0.5 | |
| RealPlayer | =11.1 | |
| RealPlayer | =11.0.1 | |
| RealNetworks RealPlayer SP | =1.0.1 | |
| RealNetworks RealPlayer SP | =1.1.5 | |
| RealNetworks RealPlayer SP | =1.1.3 | |
| RealNetworks RealPlayer SP | =1.0.0 | |
| RealNetworks RealPlayer SP | =1.0.2 | |
| RealNetworks RealPlayer SP | =1.1 | |
| RealNetworks RealPlayer SP | =1.1.2 | |
| RealNetworks RealPlayer SP | =1.1.4 | |
| RealNetworks RealPlayer SP | =1.1.1 | |
| RealNetworks RealPlayer SP | =1.0.5 | |
| RealPlayer | =2.1.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2010-4396?
CVE-2010-4396 is rated as a high-severity vulnerability due to its potential to allow arbitrary code execution through cross-zone scripting in RealPlayer.
How do I fix CVE-2010-4396?
To mitigate CVE-2010-4396, users should update their RealPlayer software to the latest version that addresses this vulnerability.
Which versions of RealPlayer are affected by CVE-2010-4396?
CVE-2010-4396 affects RealPlayer versions 11.0 through 11.1, RealPlayer SP versions 1.0 through 1.1.5, and RealPlayer Enterprise version 2.1.2.
What type of attack can exploit CVE-2010-4396?
CVE-2010-4396 can be exploited through cross-zone scripting attacks, where an attacker injects malicious scripts into a trusted zone.
Who can be impacted by CVE-2010-4396?
Any user of the affected versions of RealPlayer may be at risk of exploitation from CVE-2010-4396 if they have not updated their software.
- agent/references
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/last-modified-date
- agent/severity
- agent/author
- agent/first-publish-date
- agent/description
- agent/event
- agent/source
- agent/tags
- collector/nvd-historical
- agent/software-canonical-lookup-request
- collector/nvd-index
- vendor/realnetworks
- canonical/realplayer
- version/realplayer/11.0
- version/realplayer/11.0.4
- version/realplayer/11.0.2
- version/realplayer/11.0.3
- version/realplayer/11.0.5
- version/realplayer/11.1
- version/realplayer/11.0.1
- canonical/realnetworks realplayer sp
- version/realnetworks realplayer sp/1.0.1
- version/realnetworks realplayer sp/1.1.5
- version/realnetworks realplayer sp/1.1.3
- version/realnetworks realplayer sp/1.0.0
- version/realnetworks realplayer sp/1.0.2
- version/realnetworks realplayer sp/1.1
- version/realnetworks realplayer sp/1.1.2
- version/realnetworks realplayer sp/1.1.4
- version/realnetworks realplayer sp/1.1.1
- version/realnetworks realplayer sp/1.0.5
- version/realplayer/2.1.2