Real Networks RealPlayer SP < 1.1.5 Multiple Vulnerabilities

High Nessus Network Monitor Plugin ID 5650


The remote host is running an application that is vulnerable to multiple attack vectors.


The remote host is running RealPlayer, a multi-media application.

RealPlayer SP builds earlier than are potentially affected by multiple vulnerabilities :

- A RealPlayer malformed 'IVR' pointer index code execution vulnerability exists. (CVE-2010-2996, CVE-2010-2998)

A RealPlayerActiveX unauthorized file access vulnerability exists. (CVE-2010-3002)

A RealPlayer 'QCP' file parsing integer overflow vulnerability exists. (CVE-2010-0116)

A vulnerability exists in the way RealPlayer processes the dimensions in the 'YUV420' transformation of 'MP4' content. (CVE-2010-0117)

A heap-based buffer overflow vulnerability exists in RealPlayer's 'QCP' parsing. (CVE-20010-0120)

A vulnerability exists in the ActiveX IE plugin relating to the opening of multiple browser windows. (CVE-2010-3001)

- An uninitialized pointer vulnerability exists in the CDDA URI ActiveX Control. (CVE-2010-3747) - A remote code execution vulnerability exists in RJMDSections. (CVE-210-3750) - A RealPlayer 'QCP' parsing heap-based buffer overflow vulnerability exists. (CVE-2010-2578)

- A remote code execution issue exists in multiple protocol handlers for the RealPlayer ActiveX control. (CVE-2010-3751)

- A stack overflow vulnerability exists in the RichFX component. (CVE-2010-3748)

- A paramenter injection vulnerability exists in the RecordClip browser extension. (CVE-2010-3749)


Upgrade to RealPlayer SP 1.1.5 or later.

See Also

Plugin Details

Severity: High

ID: 5650

Family: Web Clients

Published: 2010/08/27

Modified: 2016/01/21

Dependencies: 1735, 8314

Nessus ID: 48907

Risk Information

Risk Factor: High


Base Score: 7.5

Temporal Score: 7.1

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: CVSS2#E:F/RL:U/RC:ND


Base Score: 7.3

Temporal Score: 7.1


Temporal Vector: CVSS3#E:F/RL:U/RC:X

Vulnerability Information

CPE: cpe:/a:realnetworks:realplayer

Patch Publication Date: 2010/08/26

Vulnerability Publication Date: 2010/08/26

Exploitable With

CANVAS (D2ExploitPack)

Metasploit (RealNetworks RealPlayer CDDA URI Initialization Vulnerability)

Reference Information

CVE: CVE-2010-0116, CVE-2010-0117, CVE-2010-0120, CVE-2010-2578, CVE-2010-2996, CVE-2010-2998, CVE-2010-3000, CVE-2010-3001, CVE-2010-3002, CVE-2010-3747, CVE-2010-3748, CVE-2010-3749, CVE-2010-3750, CVE-2010-3751

BID: 42775, 44144, 44423, 44440, 44441, 44442, 44443, 44444, 44451