QwikSec

Security Database

CVE

CWE

Training

CVE-2009-2011

Published: Jun 16, 2009

Modified: Aug 7, 2024

PUBLISHED

Description

Worldweaver DX Studio Player 3.0.29.0, 3.0.22.0, 3.0.12.0, and probably other versions before 3.0.29.1, when used as a plug-in for Firefox, does not restrict access to the shell.execute JavaScript API method, which allows remote attackers to execute arbitrary commands via a .dxstudio file that invokes this method.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

third-party-advisory

x_refsource_SECUNIA

vdb-entry

x_refsource_BID

20090609 CORE-2009-0521 - DX Studio Player Firefox plug-in command injection

mailing-list

x_refsource_BUGTRAQ

http://www.coresecurity.com/content/DXStudio-player-firefox-plugin

x_refsource_MISC

http://www.dxstudio.com/forumtopic.aspx?topicid=b4152459-fb5f-4933-b700-b3fbd54f6bfd

x_refsource_CONFIRM

vdb-entry

x_refsource_VUPEN

exploit

x_refsource_EXPLOIT-DB

dxstudioplayer-shellexecute-command-exec(51035)

vdb-entry

x_refsource_XF

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.