Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2006-4965Code Injection in Apple Quicktime

CWE-94Code Injection5 documents5 sources
Severity
5.0MEDIUMNVD
EPSS
9.1%
top 7.32%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
1
Apple Quicktime
Timeline
PublishedSep 25
Latest updateMay 1

Description

Apple QuickTime 7.1.3 Player and Plug-In allows remote attackers to execute arbitrary JavaScript code and possibly conduct other attacks via a QuickTime Media Link (QTL) file with an embed XML element and a qtnext parameter that identifies resources outside of the original domain. NOTE: as of 20070912, this issue has been demonstrated by using instances of Components.interfaces.nsILocalFile and Components.interfaces.nsIProcess to execute arbitrary local files within Firefox and possibly Internet

CVSS vector

AV:N/AC:L/C:N/I:P/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages1 packages

NVDapple/quicktime7.1.3

🔴Vulnerability Details

2
GHSA
GHSA-8x7f-x5pj-6mmh: Apple QuickTime 72022-05-01
CVEList
CVE-2006-4965: Apple QuickTime 72006-09-25

💥Exploits & PoCs

1
Exploit-DB
Apple QuickTime 7.1.3 PlugIn - Arbitrary Script Execution2006-09-21

📋Vendor Advisories

1
Red Hat
CVE-2007-5045: Argument injection vulnerability in Apple QuickTime 7
CVE-2006-4965 — Code Injection in Apple Quicktime | cvebase