Multiple vulnerabilities in Adobe Shockwave Player
| Risk | High |
| Patch available | NO |
| Number of vulnerabilities | 20 |
| CVE-ID | CVE-2011-0555 CVE-2011-0556 CVE-2011-0557 CVE-2011-0569 CVE-2010-4192 CVE-2010-4193 CVE-2010-4194 CVE-2010-4195 CVE-2010-4196 CVE-2010-4306 CVE-2010-4307 CVE-2010-2588 CVE-2010-2589 CVE-2010-4093 CVE-2010-4187 CVE-2010-4188 CVE-2010-4189 CVE-2010-4190 CVE-2010-4191 CVE-2010-2587 |
| CWE-ID | CWE-119 CWE-20 CWE-122 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Shockwave Player Client/Desktop applications / Plugins for browsers, ActiveX components |
| Vendor | Adobe |
Security Bulletin
This security bulletin contains information about 20 vulnerabilities.
1) Buffer overflow
EUVDB-ID: #VU45337
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2011-0555
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
The TextXtra.x32 module in Adobe Shockwave Player before 11.5.9.620 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via a Director file with a crafted DEMX RIFF chunk that triggers incorrect buffer allocation, a different vulnerability than CVE-2010-4093, CVE-2010-4187, CVE-2010-4190, CVE-2010-4191, CVE-2010-4192, and CVE-2010-4306.
MitigationInstall update from vendor's website.
Vulnerable software versionsShockwave Player: 1.0 - 11.5.8.612
CPE2.3- cpe:2.3:a:adobe:shockwave_player:1.0:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:shockwave_player:2.0:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:shockwave_player:3.0:*:*:*:*:*:*:*
https://dvlabs.tippingpoint.com/advisory/TPTI-11-02
https://www.adobe.com/support/security/bulletins/apsb11-01.html
https://www.securityfocus.com/archive/1/516333/100/0/threaded
https://www.securityfocus.com/bid/46327
https://www.securitytracker.com/id?1025056
https://www.vupen.com/english/advisories/2011/0335
https://exchange.xforce.ibmcloud.com/vulnerabilities/65257
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Buffer overflow
EUVDB-ID: #VU45338
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2011-0556
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
The Font Xtra.x32 module in Adobe Shockwave Player before 11.5.9.620 allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted PFR1 chunk that leads to an unexpected sign extension and an invalid pointer dereference, a different vulnerability than CVE-2011-0569.
MitigationInstall update from vendor's website.
Vulnerable software versionsShockwave Player: 1.0 - 11.5.8.612
CPE2.3- cpe:2.3:a:adobe:shockwave_player:1.0:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:shockwave_player:2.0:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:shockwave_player:3.0:*:*:*:*:*:*:*
https://dvlabs.tippingpoint.com/advisory/TPTI-11-03
https://www.adobe.com/support/security/bulletins/apsb11-01.html
https://www.securityfocus.com/archive/1/516336/100/0/threaded
https://www.securityfocus.com/bid/46328
https://www.securitytracker.com/id?1025056
https://www.vupen.com/english/advisories/2011/0335
https://exchange.xforce.ibmcloud.com/vulnerabilities/65258
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Input validation error
EUVDB-ID: #VU45339
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2011-0557
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
Integer overflow in Adobe Shockwave Player before 11.5.9.620 allows remote attackers to execute arbitrary code via a Director movie with a large count value in 3D assets type 0xFFFFFF45 record, which triggers a "faulty allocation" and memory corruption.
MitigationInstall update from vendor's website.
Vulnerable software versionsShockwave Player: 1.0 - 11.5.8.612
CPE2.3- cpe:2.3:a:adobe:shockwave_player:1.0:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:shockwave_player:2.0:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:shockwave_player:3.0:*:*:*:*:*:*:*
https://www.adobe.com/support/security/bulletins/apsb11-01.html
https://www.securityfocus.com/archive/1/516323/100/0/threaded
https://www.securityfocus.com/bid/46330
https://www.securitytracker.com/id?1025056
https://www.vupen.com/english/advisories/2011/0335
https://exchange.xforce.ibmcloud.com/vulnerabilities/65259
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Buffer overflow
EUVDB-ID: #VU45340
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2011-0569
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
The Font Xtra.x32 module in Adobe Shockwave Player before 11.5.9.620 allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via a PFR1 chunk containing an invalid size value that leads to an unexpected sign extension and a buffer overflow, a different vulnerability than CVE-2011-0556.
MitigationInstall update from vendor's website.
Vulnerable software versionsShockwave Player: 1.0 - 11.5.8.612
CPE2.3- cpe:2.3:a:adobe:shockwave_player:1.0:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:shockwave_player:2.0:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:shockwave_player:3.0:*:*:*:*:*:*:*
https://dvlabs.tippingpoint.com/advisory/TPTI-11-05
https://www.adobe.com/support/security/bulletins/apsb11-01.html
https://www.securityfocus.com/archive/1/516335/100/0/threaded
https://www.securitytracker.com/id?1025056
https://www.vupen.com/english/advisories/2011/0335
https://exchange.xforce.ibmcloud.com/vulnerabilities/65260
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Buffer overflow
EUVDB-ID: #VU45344
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2010-4192
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
Adobe Shockwave Player before 11.5.9.620 allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via a Director movie with a crafted 3D Assets 0xFFFFFF88 type record that triggers an incorrect memory allocation, a different vulnerability than CVE-2011-0555, CVE-2010-4093, CVE-2010-4187, CVE-2010-4190, CVE-2010-4191, and CVE-2010-4306.
MitigationInstall update from vendor's website.
Vulnerable software versionsShockwave Player: 1.0 - 11.5.8.612
CPE2.3- cpe:2.3:a:adobe:shockwave_player:1.0:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:shockwave_player:2.0:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:shockwave_player:3.0:*:*:*:*:*:*:*
https://www.adobe.com/support/security/bulletins/apsb11-01.html
https://www.securityfocus.com/archive/1/516322/100/0/threaded
https://www.securityfocus.com/bid/46326
https://www.securitytracker.com/id?1025056
https://www.vupen.com/english/advisories/2011/0335
https://www.zerodayinitiative.com/advisories/ZDI-11-078
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Input validation error
EUVDB-ID: #VU45345
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2010-4193
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
Adobe Shockwave Player before 11.5.9.620 does not properly validate unspecified input data, which allows attackers to execute arbitrary code via unknown vectors.
MitigationInstall update from vendor's website.
Vulnerable software versionsShockwave Player: 1.0 - 11.5.8.612
CPE2.3- cpe:2.3:a:adobe:shockwave_player:1.0:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:shockwave_player:2.0:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:shockwave_player:3.0:*:*:*:*:*:*:*
https://www.adobe.com/support/security/bulletins/apsb11-01.html
https://www.kb.cert.org/vuls/id/189929
https://www.securityfocus.com/bid/46334
https://www.securitytracker.com/id?1025056
https://www.vupen.com/english/advisories/2011/0335
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Input validation error
EUVDB-ID: #VU45346
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2010-4194
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
The dirapi.dll module in Adobe Shockwave Player before 11.5.9.620 does not properly validate unspecified input data, which allows attackers to execute arbitrary code via unknown vectors.
MitigationInstall update from vendor's website.
Vulnerable software versionsShockwave Player: 1.0 - 11.5.8.612
CPE2.3- cpe:2.3:a:adobe:shockwave_player:1.0:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:shockwave_player:2.0:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:shockwave_player:3.0:*:*:*:*:*:*:*
https://www.adobe.com/support/security/bulletins/apsb11-01.html
https://www.kb.cert.org/vuls/id/189929
https://www.securityfocus.com/bid/46335
https://www.securitytracker.com/id?1025056
https://www.vupen.com/english/advisories/2011/0335
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Input validation error
EUVDB-ID: #VU45347
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2010-4195
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
The TextXtra module in Adobe Shockwave Player before 11.5.9.620 does not properly validate unspecified input data, which allows attackers to execute arbitrary code via unknown vectors.
MitigationInstall update from vendor's website.
Vulnerable software versionsShockwave Player: 1.0 - 11.5.8.612
CPE2.3- cpe:2.3:a:adobe:shockwave_player:1.0:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:shockwave_player:2.0:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:shockwave_player:3.0:*:*:*:*:*:*:*
https://www.adobe.com/support/security/bulletins/apsb11-01.html
https://www.kb.cert.org/vuls/id/189929
https://www.securityfocus.com/bid/46336
https://www.securitytracker.com/id?1025056
https://www.vupen.com/english/advisories/2011/0335
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Input validation error
EUVDB-ID: #VU45348
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2010-4196
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
The Shockwave 3d Asset module in Adobe Shockwave Player before 11.5.9.620 does not properly validate unspecified input data, which allows attackers to execute arbitrary code via unknown vectors.
MitigationInstall update from vendor's website.
Vulnerable software versionsShockwave Player: 1.0 - 11.5.8.612
CPE2.3- cpe:2.3:a:adobe:shockwave_player:1.0:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:shockwave_player:2.0:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:shockwave_player:3.0:*:*:*:*:*:*:*
https://www.adobe.com/support/security/bulletins/apsb11-01.html
https://www.kb.cert.org/vuls/id/189929
https://www.securityfocus.com/bid/46338
https://www.securitytracker.com/id?1025056
https://www.vupen.com/english/advisories/2011/0335
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Buffer overflow
EUVDB-ID: #VU45349
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2010-4306
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
Adobe Shockwave Player before 11.5.9.620 allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2011-0555, CVE-2010-4093, CVE-2010-4187, CVE-2010-4190, CVE-2010-4191, and CVE-2010-4192.
MitigationInstall update from vendor's website.
Vulnerable software versionsShockwave Player: 1.0 - 11.5.8.612
CPE2.3- cpe:2.3:a:adobe:shockwave_player:1.0:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:shockwave_player:2.0:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:shockwave_player:3.0:*:*:*:*:*:*:*
https://www.adobe.com/support/security/bulletins/apsb11-01.html
https://www.securityfocus.com/bid/46333
https://www.securitytracker.com/id?1025056
https://www.vupen.com/english/advisories/2011/0335
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) Buffer overflow
EUVDB-ID: #VU45350
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2010-4307
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
Buffer overflow in Adobe Shockwave Player before 11.5.9.620 allows attackers to execute arbitrary code via unspecified vectors.
MitigationInstall update from vendor's website.
Vulnerable software versionsShockwave Player: 1.0 - 11.5.8.612
CPE2.3- cpe:2.3:a:adobe:shockwave_player:1.0:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:shockwave_player:2.0:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:shockwave_player:3.0:*:*:*:*:*:*:*
https://www.adobe.com/support/security/bulletins/apsb11-01.html
https://www.securityfocus.com/bid/46339
https://www.securitytracker.com/id?1025056
https://www.vupen.com/english/advisories/2011/0335
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
12) Buffer overflow
EUVDB-ID: #VU45351
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2010-2588
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
The dirapi.dll module in Adobe Shockwave Player before 11.5.9.620 allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2010-2587 and CVE-2010-4188.
MitigationInstall update from vendor's website.
Vulnerable software versionsShockwave Player: 1.0 - 11.5.8.612
CPE2.3- cpe:2.3:a:adobe:shockwave_player:1.0:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:shockwave_player:2.0:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:shockwave_player:3.0:*:*:*:*:*:*:*
https://www.adobe.com/support/security/bulletins/apsb11-01.html
https://www.securityfocus.com/bid/46318
https://www.securitytracker.com/id?1025056
https://www.vupen.com/english/advisories/2011/0335
https://exchange.xforce.ibmcloud.com/vulnerabilities/65244
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
13) Input validation error
EUVDB-ID: #VU45352
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2010-2589
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
Integer overflow in the dirapi.dll module in Adobe Shockwave Player before 11.5.9.620 allows attackers to execute arbitrary code via unspecified vectors.
MitigationInstall update from vendor's website.
Vulnerable software versionsShockwave Player: 1.0 - 11.5.8.612
CPE2.3- cpe:2.3:a:adobe:shockwave_player:1.0:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:shockwave_player:2.0:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:shockwave_player:3.0:*:*:*:*:*:*:*
https://www.adobe.com/support/security/bulletins/apsb11-01.html
https://www.securityfocus.com/bid/46329
https://www.securitytracker.com/id?1025056
https://www.vupen.com/english/advisories/2011/0335
https://exchange.xforce.ibmcloud.com/vulnerabilities/65245
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
14) Buffer overflow
EUVDB-ID: #VU45353
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2010-4093
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
Adobe Shockwave Player before 11.5.9.620 allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2011-0555, CVE-2010-4187, CVE-2010-4190, CVE-2010-4191, CVE-2010-4192, and CVE-2010-4306.
MitigationInstall update from vendor's website.
Vulnerable software versionsShockwave Player: 1.0 - 11.5.8.612
CPE2.3- cpe:2.3:a:adobe:shockwave_player:1.0:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:shockwave_player:2.0:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:shockwave_player:3.0:*:*:*:*:*:*:*
https://www.adobe.com/support/security/bulletins/apsb11-01.html
https://www.kb.cert.org/vuls/id/189929
https://www.securityfocus.com/bid/46321
https://www.securitytracker.com/id?1025056
https://www.vupen.com/english/advisories/2011/0335
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
15) Buffer overflow
EUVDB-ID: #VU45354
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2010-4187
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
Adobe Shockwave Player before 11.5.9.620 allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via a malformed chunk in a Director file, a different vulnerability than CVE-2011-0555, CVE-2010-4093, CVE-2010-4190, CVE-2010-4191, CVE-2010-4192, and CVE-2010-4306.
MitigationInstall update from vendor's website.
Vulnerable software versionsShockwave Player: 1.0 - 11.5.8.612
CPE2.3- cpe:2.3:a:adobe:shockwave_player:1.0:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:shockwave_player:2.0:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:shockwave_player:3.0:*:*:*:*:*:*:*
https://labs.idefense.com/intelligence/vulnerabilities/display.php?id=892
https://www.adobe.com/support/security/bulletins/apsb11-01.html
https://www.securityfocus.com/bid/46317
https://www.securitytracker.com/id?1025056
https://www.vupen.com/english/advisories/2011/0335
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
16) Heap-based buffer overflow
EUVDB-ID: #VU45355
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2010-4188
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in The dirapi.dll module in Adobe Shockwave Player before 11.5.9.620. A remote attacker can use a Director movie with an IFWV chunk with a size field of 0 to trigger heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsShockwave Player: 1.0 - 11.5.8.612
CPE2.3- cpe:2.3:a:adobe:shockwave_player:1.0:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:shockwave_player:2.0:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:shockwave_player:3.0:*:*:*:*:*:*:*
https://dvlabs.tippingpoint.com/advisory/TPTI-11-01
https://www.adobe.com/support/security/bulletins/apsb11-01.html
https://www.securityfocus.com/archive/1/516332/100/0/threaded
https://www.securityfocus.com/bid/46319
https://www.securitytracker.com/id?1025056
https://www.vupen.com/english/advisories/2011/0335
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
17) Buffer overflow
EUVDB-ID: #VU45356
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2010-4189
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
The IML32 module in Adobe Shockwave Player before 11.5.9.620 allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via a Director movie containing a GIF image with a crafted global color table size value, which causes an out-of-range pointer offset.
MitigationInstall update from vendor's website.
Vulnerable software versionsShockwave Player: 1.0 - 11.5.8.612
CPE2.3- cpe:2.3:a:adobe:shockwave_player:1.0:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:shockwave_player:2.0:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:shockwave_player:3.0:*:*:*:*:*:*:*
https://dvlabs.tippingpoint.com/advisory/TPTI-11-04
https://www.adobe.com/support/security/bulletins/apsb11-01.html
https://www.securityfocus.com/archive/1/516334/100/0/threaded
https://www.securityfocus.com/bid/46320
https://www.securitytracker.com/id?1025056
https://www.vupen.com/english/advisories/2011/0335
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
18) Buffer overflow
EUVDB-ID: #VU45357
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2010-4190
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
Adobe Shockwave Player before 11.5.9.620 allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via a Director movie with a crafted CSWV RIFF chunk that causes an incorrect calculation of an offset for a substructure, which causes an out-of-bounds "seek" of heap memory, a different vulnerability than CVE-2011-0555, CVE-2010-4093, CVE-2010-4187, CVE-2010-4191, CVE-2010-4192, and CVE-2010-4306.
MitigationInstall update from vendor's website.
Vulnerable software versionsShockwave Player: 1.0 - 11.5.8.612
CPE2.3- cpe:2.3:a:adobe:shockwave_player:1.0:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:shockwave_player:2.0:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:shockwave_player:3.0:*:*:*:*:*:*:*
https://www.adobe.com/support/security/bulletins/apsb11-01.html
https://www.securityfocus.com/archive/1/516324/100/0/threaded
https://www.securityfocus.com/bid/46324
https://www.securitytracker.com/id?1025056
https://www.vupen.com/english/advisories/2011/0335
https://www.zerodayinitiative.com/advisories/ZDI-11-080/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
19) Buffer overflow
EUVDB-ID: #VU45358
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2010-4191
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
Adobe Shockwave Player before 11.5.9.620 allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2011-0555, CVE-2010-4093, CVE-2010-4187, CVE-2010-4190, CVE-2010-4192, and CVE-2010-4306.
MitigationInstall update from vendor's website.
Vulnerable software versionsShockwave Player: 1.0 - 11.5.8.612
CPE2.3- cpe:2.3:a:adobe:shockwave_player:1.0:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:shockwave_player:2.0:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:shockwave_player:3.0:*:*:*:*:*:*:*
https://www.adobe.com/support/security/bulletins/apsb11-01.html
https://www.securityfocus.com/bid/46325
https://www.securitytracker.com/id?1025056
https://www.vupen.com/english/advisories/2011/0335
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
20) Buffer overflow
EUVDB-ID: #VU45359
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2010-2587
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
The dirapi.dll module in Adobe Shockwave Player before 11.5.9.620 allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2010-2588 and CVE-2010-4188.
MitigationInstall update from vendor's website.
Vulnerable software versionsShockwave Player: 1.0 - 11.5.8.612
CPE2.3- cpe:2.3:a:adobe:shockwave_player:1.0:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:shockwave_player:2.0:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:shockwave_player:3.0:*:*:*:*:*:*:*
https://www.adobe.com/support/security/bulletins/apsb11-01.html
https://www.securityfocus.com/bid/46316
https://www.securitytracker.com/id?1025056
https://www.vupen.com/english/advisories/2011/0335
https://exchange.xforce.ibmcloud.com/vulnerabilities/65243
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
