Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2011-3642 — Cross-site Scripting in Flash

CWE-79 — Cross-site Scripting4 documents4 sources

Severity

9.6CRITICALNVD

EPSS

8.9%

top 7.42%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Flowplayer Flash

Timeline

PublishedFeb 8

Latest updateApr 22

Description

Cross-site scripting (XSS) vulnerability in Flowplayer Flash 3.2.7 through 3.2.16, as used in the News system (news) extension for TYPO3 and Mahara, allows remote attackers to inject arbitrary web script or HTML via the plugin configuration directive in a reference to an external domain plugin.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:HExploitability: 2.8 | Impact: 6.0

Affected Packages1 packages

▶NVDflowplayer/flowplayer_flash3.2.7 — 3.2.16

🔴Vulnerability Details

GHSA

GHSA-5pqr-mwfx-8q8w: Cross-site scripting (XSS) vulnerability in Flowplayer Flash 3↗2022-04-22

▶

CVEList

CVE-2011-3642: Cross-site scripting (XSS) vulnerability in Flowplayer Flash 3↗2020-02-08

▶

💥Exploits & PoCs

Exploit-DB

Flowplayer 3.2.7 - 'linkUrl' Cross-Site Scripting↗2011-07-12

▶