CVE-2022-32270

CRITICAL

RealPlayer 20.0.7.309 and 20.0.8.310 - Remote Code Execution via Directory Traversal in Import Function

Title source: llm

Description

In Real Player 20.0.7.309 and 20.0.8.310, external::Import() allows download of arbitrary file types and Directory Traversal, leading to Remote Code Execution. This occurs because it is possible to plant executables in the startup folder (DLL planting could also occur).

References (2)

Core 2

Core References

Exploit, Third Party Advisory x_refsource_misc

https://github.com/Edubr2020/RP_Import_RCE

View Exploit ZIP pw:eip

Exploit, Third Party Advisory x_refsource_misc

https://youtu.be/CONlijEgDLc

Scores

CVSS v3 9.8

EPSS 0.0406

EPSS Percentile 88.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-22

Status published

Products (2)

realnetworks/realplayer 20.0.7.309

realnetworks/realplayer 20.0.8.310

Published Jun 03, 2022

Tracked Since Feb 18, 2026