CVE-2009-4148 Information

Description

DAZ Studio 2.3.3.161 2.3.3.163 and 3.0.1.135 allows remote attackers to execute arbitrary JavaScript code via a (1) .ds (2) .dsa (3) .dse or (4) .dsb file as demonstrated by code that loads the WScript.Shell ActiveX control related to a \script injection vulnerability.\

Reference

http://www.coresecurity.com/content/dazstudio-scripting-injection http://www.securityfocus.com/archive/1/508192/100/0/threaded http://www.securityfocus.com/bid/37176