CVE-2011-3642
Severity CVSS v4.0:
Pending analysis
Type:
CWE-79
Cross-Site Scripting (XSS)
Publication date:
08/02/2020
Last modified:
21/11/2024
Description
Cross-site scripting (XSS) vulnerability in Flowplayer Flash 3.2.7 through 3.2.16, as used in the News system (news) extension for TYPO3 and Mahara, allows remote attackers to inject arbitrary web script or HTML via the plugin configuration directive in a reference to an external domain plugin.
Impact
Base Score 3.x
9.60
Severity 3.x
CRITICAL
Base Score 2.0
6.80
Severity 2.0
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:flowplayer:flowplayer_flash:*:*:*:*:*:mahara:*:* | 3.2.7 (including) | 3.2.16 (including) |
| cpe:2.3:a:flowplayer:flowplayer_flash:*:*:*:*:*:typo3:*:* | 3.2.7 (including) | 3.2.16 (including) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- http://appsec.ws/Presentations/FlashFlooding.pdf
- http://secunia.com/advisories/52074
- http://secunia.com/advisories/54206
- http://secunia.com/advisories/58854
- http://typo3.org/teams/security/security-bulletins/typo3-extensions/typo3-ext-sa-2014-009
- http://web.appsec.ws/FlashExploitDatabase.php
- https://bugs.launchpad.net/mahara/+bug/1103748
- https://code.google.com/p/flowplayer-core/issues/detail?id=441
- https://mahara.org/interaction/forum/topic.php?id=5237
- https://www.securityfocus.com/bid/48651
- http://appsec.ws/Presentations/FlashFlooding.pdf
- http://secunia.com/advisories/52074
- http://secunia.com/advisories/54206
- http://secunia.com/advisories/58854
- http://typo3.org/teams/security/security-bulletins/typo3-extensions/typo3-ext-sa-2014-009
- http://web.appsec.ws/FlashExploitDatabase.php
- https://bugs.launchpad.net/mahara/+bug/1103748
- https://code.google.com/p/flowplayer-core/issues/detail?id=441
- https://mahara.org/interaction/forum/topic.php?id=5237
- https://www.securityfocus.com/bid/48651