IBM SPSS SamplePower 3.0 < 3.0 FP 1 Multiple ActiveX Controls Arbitrary Code Execution

This script is Copyright (C) 2013-2017 Tenable Network Security, Inc.


Synopsis :

The remote host has multiple ActiveX controls with code execution
vulnerabilities.

Description :

The remote install of IBM SPSS SamplePower has a vulnerable version of
one or more ActiveX controls installed. 'Vsflex8l.ocx', 'c1sizer.ocx',
'vsflex7l .ocx', and 'olch2x32.ocx' ActiveX controls have unspecified
arbitrary code execution vulnerabilities, which can be exploited by
tricking a user into opening a specially crafted web page.

See also :

http://www.zerodayinitiative.com/advisories/ZDI-13-092/
http://www.zerodayinitiative.com/advisories/ZDI-13-099/
http://www.zerodayinitiative.com/advisories/ZDI-13-100/
http://www.zerodayinitiative.com/advisories/ZDI-13-101/
http://www.nessus.org/u?fef142e2
http://www.nessus.org/u?5ef00761
http://www.nessus.org/u?caa21312
http://www.nessus.org/u?64d1094a

Solution :

Upgrade to IBM SPSS SamplePower 3.0 FP 1 or higher.

Risk factor :

High / CVSS Base Score : 9.3
(CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 7.3
(CVSS2#E:POC/RL:OF/RC:C)
Public Exploit Available : true

Family: Windows

Nessus Plugin ID: 66473 ()

Bugtraq ID: 59527
59556
59557
59559

CVE ID: CVE-2012-5945
CVE-2012-5946
CVE-2012-5947
CVE-2013-0593

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now