CVE-2011-3642
high-risk
Published 2020-02-08
Cross-site scripting (XSS) vulnerability in Flowplayer Flash 3.2.7 through 3.2.16, as used in the News system (news) extension for TYPO3 and Mahara, allows remote attackers to inject arbitrary web script or HTML via the plugin configuration directive in a reference to an external domain plugin.
Do I need to act?
~
8.9% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
!
1 public exploit available
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.6/10
Critical
NETWORK
/ LOW complexity
Affected Products (2)
Affected Vendors
References (20)
Broken Link
http://appsec.ws/Presentations/FlashFlooding.pdf
Third Party Advisory
http://secunia.com/advisories/52074
Third Party Advisory
http://secunia.com/advisories/54206
Third Party Advisory
http://secunia.com/advisories/58854
Broken Link
http://web.appsec.ws/FlashExploitDatabase.php
Third Party Advisory
https://bugs.launchpad.net/mahara/+bug/1103748
Third Party Advisory
https://mahara.org/interaction/forum/topic.php?id=5237
Third Party Advisory
https://www.securityfocus.com/bid/48651
Broken Link
http://appsec.ws/Presentations/FlashFlooding.pdf
Third Party Advisory
http://secunia.com/advisories/52074
Third Party Advisory
http://secunia.com/advisories/54206
Third Party Advisory
http://secunia.com/advisories/58854
Broken Link
http://web.appsec.ws/FlashExploitDatabase.php
Third Party Advisory
https://bugs.launchpad.net/mahara/+bug/1103748
Third Party Advisory
https://mahara.org/interaction/forum/topic.php?id=5237
Third Party Advisory
https://www.securityfocus.com/bid/48651
56
/ 100
high-risk
Severity
32/34 · Critical
Exploitability
17/34 · Moderate
Exposure
7/34 · Low