CVE-2011-3642 Information

Feb 14, 2021 cve

Description

Cross-site scripting (XSS) vulnerability in Flowplayer Flash 3.2.7 through 3.2.16 as used in the News system (news) extension for TYPO3 and Mahara allows remote attackers to inject arbitrary web script or HTML via the plugin configuration directive in a reference to an external domain plugin.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Reference

http://appsec.ws/Presentations/FlashFlooding.pdf http://secunia.com/advisories/52074 http://secunia.com/advisories/54206 http://secunia.com/advisories/58854 http://typo3.org/teams/security/security-bulletins/typo3-extensions/typo3-ext-sa-2014-009 http://web.appsec.ws/FlashExploitDatabase.php https://bugs.launchpad.net/mahara/+bug/1103748 https://code.google.com/p/flowplayer-core/issues/detail?id=441 https://mahara.org/interaction/forum/topic.php?id=5237 https://www.securityfocus.com/bid/48651

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

REQUIRED

Confidentiality Impact

CHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

9.6

Share on: