Vulnerability Details : CVE-2011-3642
Cross-site scripting (XSS) vulnerability in Flowplayer Flash 3.2.7 through 3.2.16, as used in the News system (news) extension for TYPO3 and Mahara, allows remote attackers to inject arbitrary web script or HTML via the plugin configuration directive in a reference to an external domain plugin.
Vulnerability category: Cross site scripting (XSS)
Exploit prediction scoring system (EPSS) score for CVE-2011-3642
Probability of exploitation activity in the next 30 days: 1.56%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 87 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2011-3642
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
6.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:P |
8.6
|
6.4
|
NIST |
9.6
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H |
2.8
|
6.0
|
NIST |
CWE ids for CVE-2011-3642
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by: nvd@nist.gov (Primary)
References for CVE-2011-3642
-
http://appsec.ws/Presentations/FlashFlooding.pdf
appsec.wsBroken Link
-
http://secunia.com/advisories/54206
About Secunia Research | FlexeraThird Party Advisory
-
http://secunia.com/advisories/52074
About Secunia Research | FlexeraThird Party Advisory
-
https://bugs.launchpad.net/mahara/+bug/1103748
Bug #1103748 “included flowplayer 3.2.7 is vulnerable” : Bugs : MaharaThird Party Advisory
-
https://code.google.com/p/flowplayer-core/issues/detail?id=441
Google Code Archive - Long-term storage for Google Code Project Hosting.Exploit;Third Party Advisory
-
https://mahara.org/interaction/forum/topic.php?id=5237
Security Announcements - External vulnerability in Mahara flowplayer in <1.5.8 and <1.6.3 - Mahara ePortfolio SystemThird Party Advisory
-
http://typo3.org/teams/security/security-bulletins/typo3-extensions/typo3-ext-sa-2014-009
Page Not FoundBroken Link
-
http://web.appsec.ws/FlashExploitDatabase.php
Broken Link
-
https://www.securityfocus.com/bid/48651
Flowplayer 'linkUrl' Parameter Cross Site Scripting VulnerabilityThird Party Advisory;VDB Entry
-
http://secunia.com/advisories/58854
Sign inThird Party Advisory
Products affected by CVE-2011-3642
- Flowplayer » Flowplayer Flash » For MaharaVersions from including (>=) 3.2.7 and up to, including, (<=) 3.2.16cpe:2.3:a:flowplayer:flowplayer_flash:*:*:*:*:*:mahara:*:*
- Flowplayer » Flowplayer Flash » For Typo3Versions from including (>=) 3.2.7 and up to, including, (<=) 3.2.16cpe:2.3:a:flowplayer:flowplayer_flash:*:*:*:*:*:typo3:*:*