Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2009-2011

Overview

Vulnerability Score 9.3 9.3
CVE Id CVE-2009-2011
Last Modified 22 Jun 2009 12:00:00
Published 16 Jun 2009 05:00:00
Confidentiality Impact COMPLETE COMPLETE
Integrity Impact COMPLETE COMPLETE
Availability Impact COMPLETE COMPLETE
Access Vector NETWORK
Access Complexity MEDIUM
Authentication NONE

CVE-2009-2011

Summary

Worldweaver DX Studio Player 3.0.29.0, 3.0.22.0, 3.0.12.0, and probably other versions before 3.0.29.1, when used as a plug-in for Firefox, does not restrict access to the shell.execute JavaScript API method, which allows remote attackers to execute arbitrary commands via a .dxstudio file that invokes this method.

Vulnerable Systems

Application

  • Dxstudio Dx Studio Player 3.0.12.0

  • Dxstudio Dx Studio Player 3.0.22.0

  • Dxstudio Dx Studio Player 3.0.29.0


References

VUPEN - ADV-2009-1561

BID - 35273

XF - dxstudioplayer-shellexecute-command-exec(51035)

BUGTRAQ - 20090609 CORE-2009-0521 - DX Studio Player Firefox plug-in command injection

MILW0RM - 8922

CONFIRM - http://www.dxstudio.com/forumtopic.aspx?topicid=b4152459-fb5f-4933-b700-b3fbd54f6bfd

MISC - http://www.coresecurity.com/content/DXStudio-player-firefox-plugin

SECUNIA - 35402


Last Updated: 27 May 2016 10:50:44