CVE-2007-4515 : Buffer overflow in a certain ActiveX control in YVerInfo.dll before 2007.8.27.1

Buffer overflow in a certain ActiveX control in YVerInfo.dll before 2007.8.27.1 in the Yahoo! services suite for Yahoo! Messenger before 8.1.0.419 allows remote attackers to execute arbitrary code via unspecified vectors involving arguments to the (1) fvCom and (2) info methods. NOTE: some of these details are obtained from third party information.

Published 2007-08-31 22:17:00

Updated 2025-04-09 00:30:58

Source MITRE

View at NVD, CVE.org

Vulnerability category: OverflowExecute code

Products affected by CVE-2007-4515

Yahoo » Messenger
Versions up to, including, (<=) 8.1.0.413
cpe:2.3:a:yahoo:messenger:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2007-4515

EPSS FAQ

58.96%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 98 %

Percentile, the proportion of vulnerabilities that are scored at or less

Metasploit modules for CVE-2007-4515

Yahoo! Messenger YVerInfo.dll ActiveX Control Buffer Overflow

Disclosure Date: 2007-08-30

First seen: 2020-04-26

exploit/windows/browser/yahoomessenger_fvcom

This module exploits a stack buffer overflow in the Yahoo! Messenger ActiveX Control (YVerInfo.dll <= 2006.8.24.1). By sending an overly long string to the "fvCom()" method from a yahoo.com domain, an attacker may be able to execute arbitrary code. Authors:

More information

CVSS scores for CVE-2007-4515

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
9.3	HIGH	AV:N/AC:M/Au:N/C:C/I:C/A:C	8.6	10.0	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete

CWE ids for CVE-2007-4515

CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2007-4515

http://securitytracker.com/id?1018628
http://osvdb.org/37739
http://securityreason.com/securityalert/3083
http://messenger.yahoo.com/security_update.php?id=082907

Patch
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=591

Patch;Vendor Advisory
http://www.vupen.com/english/advisories/2007/3011
https://exchange.xforce.ibmcloud.com/vulnerabilities/36363
http://secunia.com/advisories/26579

Patch;Vendor Advisory
http://www.securityfocus.com/bid/25494

Yahoo! Messenger YVerInfo.DLL ActiveX Control Multiple Buffer Overflow Weaknesses

Jump to