CVE-2011-2947 – RealNetworks RealPlayer Cross-Zone Scripting Remote Code Execution Vulnerability

https://notcve.org/view.php?id=CVE-2011-2947

Cross-zone scripting vulnerability in the RealPlayer ActiveX control in RealNetworks RealPlayer 11.0 through 11.1 and 14.0.0 through 14.0.5 and RealPlayer SP 1.0 through 1.1.5 allows remote attackers to inject arbitrary web script or HTML in the Local Zone via a local HTML document. Una vulnerabilidad de secuencias de comandos en zonas cruzadas en el control ActiveX de RealPlayer en RealNetworks RealPlayer v11.0 a v11.1 y v14.0.0 a 14.0.5, y RealPlayer SP v1.0 a v1.1.5, permite a atacantes remotos inyectar secuencias de comandos web o HTML en la zona local a través de un documento en formato HTML almacenado localmente. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of RealNetworks RealPlayer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists due to the fact that RealPlayer allows users to run local HTML files with scripting enabled without any warning. The RealPlayer ActiveX control can be scripted from a web browser to load local HTML files. • http://service.real.com/realplayer/security/08162011_player/en http://www.securitytracker.com/id?1025943 http://zerodayinitiative.com/advisories/ZDI-11-269 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •