CVE-2009-2011

2009-06-1621:00:00

CWE-78

mitre

web.nvd.nist.gov

cve-2009-2011

worldweaver dx studio player

remote code execution

javascript api

firefox plugin

CVSS2

9.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

AI Score

7.5

Confidence

Low

EPSS

0.883

Percentile

98.7%

JSON

Worldweaver DX Studio Player 3.0.29.0, 3.0.22.0, 3.0.12.0, and probably other versions before 3.0.29.1, when used as a plug-in for Firefox, does not restrict access to the shell.execute JavaScript API method, which allows remote attackers to execute arbitrary commands via a .dxstudio file that invokes this method.

Affected configurations

Nvd

Node

dxstudiodx_studio_playerRange≤3.0.29.0

dxstudiodx_studio_playerMatch3.0.12.0

dxstudiodx_studio_playerMatch3.0.22.0

AND

mozillafirefox

VendorProductVersionCPE
dxstudiodx_studio_player*cpe:2.3:a:dxstudio:dx_studio_player:*:*:*:*:*:*:*:*
dxstudiodx_studio_player3.0.12.0cpe:2.3:a:dxstudio:dx_studio_player:3.0.12.0:*:*:*:*:*:*:*
dxstudiodx_studio_player3.0.22.0cpe:2.3:a:dxstudio:dx_studio_player:3.0.22.0:*:*:*:*:*:*:*
mozillafirefox*cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
dxstudio	dx_studio_player	*	cpe:2.3:a:dxstudio:dx_studio_player::::::::
dxstudio	dx_studio_player	3.0.12.0	cpe:2.3:a:dxstudio:dx_studio_player:3.0.12.0:::::::*
dxstudio	dx_studio_player	3.0.22.0	cpe:2.3:a:dxstudio:dx_studio_player:3.0.22.0:::::::*
mozilla	firefox	*	cpe:2.3:a:mozilla:firefox::::::::