CVE-2006-4965
Severity CVSS v4.0:
Pending analysis
Type:
CWE-94
Code Injection
Publication date:
25/09/2006
Last modified:
17/10/2018
Description
Apple QuickTime 7.1.3 Player and Plug-In allows remote attackers to execute arbitrary JavaScript code and possibly conduct other attacks via a QuickTime Media Link (QTL) file with an embed XML element and a qtnext parameter that identifies resources outside of the original domain. NOTE: as of 20070912, this issue has been demonstrated by using instances of Components.interfaces.nsILocalFile and Components.interfaces.nsIProcess to execute arbitrary local files within Firefox and possibly Internet Explorer.
Impact
Base Score 2.0
5.00
Severity 2.0
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:apple:quicktime:7.1.3:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- http://docs.info.apple.com/article.html?artnum=305149
- http://lists.apple.com/archives/Security-announce/2007/Mar/msg00000.html
- http://secunia.com/advisories/22048
- http://secunia.com/advisories/27414
- http://securityreason.com/securityalert/1631
- http://www.gnucitizen.org/blog/0day-quicktime-pwns-firefox
- http://www.gnucitizen.org/blog/backdooring-mp3-files/
- http://www.gnucitizen.org/blog/myspace-quicktime-worm-follow-up
- http://www.kb.cert.org/vuls/id/751808
- http://www.securityfocus.com/archive/1/446750/100/0/threaded
- http://www.securityfocus.com/archive/1/453756/100/0/threaded
- http://www.securityfocus.com/archive/1/479179/100/0/threaded
- http://www.securityfocus.com/bid/20138
- http://www.securitytracker.com/id?1018687=
- http://www.vupen.com/english/advisories/2007/3155