IBM SPSS SamplePower vsflex8l ActiveX Control ComboList Property Remote Code Execution Vulnerability

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of IBM SPSS SamplePower. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the IBM SPSS SamplePower VSFlexGrid8.VSFlexGridL ActiveX control. The control performs insufficient bounds checking on user-supplied data passed into the ComboList or ColComboList methods before copying it to a fixed-length buffer in global memory. An attacker can exploit this condition to achieve code execution under the context of the browser process.