CVE-2011-3642

CRITICAL

Flowplayer Flash <3.2.16 - XSS

Title source: llm

Description

Cross-site scripting (XSS) vulnerability in Flowplayer Flash 3.2.7 through 3.2.16, as used in the News system (news) extension for TYPO3 and Mahara, allows remote attackers to inject arbitrary web script or HTML via the plugin configuration directive in a reference to an external domain plugin.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Szymon Gruszecki · textwebappsmultiple

https://www.exploit-db.com/exploits/35941

View Code ZIP pw:eip

References (10)

[Broken Link] http://appsec.ws/Presentations/FlashFlooding.pdf

[Third Party Advisory] http://secunia.com/advisories/52074

[Third Party Advisory] http://secunia.com/advisories/54206

[Third Party Advisory] http://secunia.com/advisories/58854

[Broken Link] http://typo3.org/teams/security/security-bulletins/typo3-extensions/typo3-ext-sa-2014-009

[Broken Link] http://web.appsec.ws/FlashExploitDatabase.php

[Third Party Advisory] https://bugs.launchpad.net/mahara/+bug/1103748

[Exploit, Third Party Advisory] https://code.google.com/p/flowplayer-core/issues/detail?id=441

[Third Party Advisory] https://mahara.org/interaction/forum/topic.php?id=5237

[Third Party Advisory, VDB Entry] https://www.securityfocus.com/bid/48651

Scores

CVSS v3 9.6

EPSS 0.0769

EPSS Percentile 91.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Details

CWE

CWE-79

Status published

Products (1)

flowplayer/flowplayer_flash 3.2.7 - 3.2.16 (2 CPE variants)

Published Feb 08, 2020

Tracked Since Feb 18, 2026