CVE-2011-3642

CRITICAL

Flowplayer Flash 3.2.7-3.2.16 - Cross-Site Scripting via Plugin Configuration Directive

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2011-3642. PoCs published by Szymon Gruszecki.

AI-analyzed exploit summary This exploit demonstrates a cross-site scripting (XSS) vulnerability in Flowplayer 3.2.7 by injecting malicious JavaScript code via the 'linkUrl' parameter in the SWF file's configuration. The payload executes arbitrary script code in the context of the affected site, allowing cookie theft or other client-side attacks.

Description

Cross-site scripting (XSS) vulnerability in Flowplayer Flash 3.2.7 through 3.2.16, as used in the News system (news) extension for TYPO3 and Mahara, allows remote attackers to inject arbitrary web script or HTML via the plugin configuration directive in a reference to an external domain plugin.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Szymon Gruszecki · textwebappsmultiple

https://www.exploit-db.com/exploits/35941

View Code ZIP pw:eip

This exploit demonstrates a cross-site scripting (XSS) vulnerability in Flowplayer 3.2.7 by injecting malicious JavaScript code via the 'linkUrl' parameter in the SWF file's configuration. The payload executes arbitrary script code in the context of the affected site, allowing cookie theft or other client-side attacks.

Classification

Working Poc 95%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Flowplayer 3.2.7

No auth needed

Prerequisites: Victim must visit a crafted URL with the malicious payload

MITRE ATT&CK