CVE-2011-3642 – This is a cross-site scripting (XSS) vulnerabil... (How to Fix)

Q: What is the severity of CVE-2011-3642?

CVE-2011-3642 has a CVSS score of 9.6 (CRITICAL). This is a cross-site scripting (XSS) vulnerability in Flowplayer Flash versions 3.2.7 through 3.2.16 that allows attackers to inject malicious scripts via plugin configuration directives. It affects TYPO3 News system extension and Mahara installations using vulnerable Flowplayer Flash components. Attackers can execute arbitrary JavaScript in victims' browsers when they visit compromised pages.

📋 TL;DR

This is a cross-site scripting (XSS) vulnerability in Flowplayer Flash versions 3.2.7 through 3.2.16 that allows attackers to inject malicious scripts via plugin configuration directives. It affects TYPO3 News system extension and Mahara installations using vulnerable Flowplayer Flash components. Attackers can execute arbitrary JavaScript in victims' browsers when they visit compromised pages.

💻 Affected Systems

Products:

Flowplayer Flash
TYPO3 News system extension
Mahara

Versions: Flowplayer Flash 3.2.7 through 3.2.16

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists when Flowplayer Flash is configured to load plugins from external domains via the plugin configuration directive.

📦 What is this software?

Flowplayer Flash by Flowplayer

View all CVEs affecting Flowplayer Flash →

Flowplayer Flash by Flowplayer

View all CVEs affecting Flowplayer Flash →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete account takeover, session hijacking, credential theft, and malware distribution to all users visiting affected pages.

🟠

Likely Case

Session hijacking, credential theft, and defacement of web pages for users accessing vulnerable components.

🟢

If Mitigated

Limited impact with proper content security policies, input validation, and user awareness about suspicious links.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires tricking users into visiting maliciously crafted URLs or pages containing the XSS payload.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Flowplayer Flash 3.2.17 or later

Vendor Advisory: http://typo3.org/teams/security/security-bulletins/typo3-extensions/typo3-ext-sa-2014-009

Restart Required: No

Instructions:

1. Update Flowplayer Flash to version 3.2.17 or later. 2. Update TYPO3 News extension to patched version. 3. Update Mahara to latest version if affected. 4. Clear browser and server caches.

🔧 Temporary Workarounds

Disable external plugin loading

all

Configure Flowplayer Flash to only load plugins from trusted, internal domains

Modify Flowplayer configuration to set 'plugins' directive to internal URLs only

Implement Content Security Policy

all

Add CSP headers to restrict script execution sources

Add 'Content-Security-Policy: script-src 'self'' to HTTP headers

🧯 If You Can't Patch

Implement strict input validation and sanitization for all plugin configuration parameters
Deploy web application firewall (WAF) rules to detect and block XSS attempts

🔍 How to Verify

Check if Vulnerable:

Check Flowplayer Flash version in web application configuration files and verify if version is between 3.2.7 and 3.2.16

Check Version:

grep -r 'flowplayer' /path/to/webroot/ | grep -i version

Verify Fix Applied:

Confirm Flowplayer Flash version is 3.2.17 or later and test plugin configuration with malicious inputs

📡 Detection & Monitoring

Log Indicators:

Unusual plugin configuration requests
External domain references in plugin directives
JavaScript execution errors from unexpected sources

Network Indicators:

HTTP requests with suspicious plugin parameters
External script loading from untrusted domains

SIEM Query:

web_requests WHERE url CONTAINS 'plugin' AND (url CONTAINS 'javascript:' OR url CONTAINS 'data:' OR url CONTAINS 'http://' OR url CONTAINS 'https://')

📊 Metadata

CVE ID: CVE-2011-3642

CVSS v3 Score: 9.6 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CWE: CWE-79

Published: February 8, 2020

Last Updated: November 21, 2024

🔗 References

http://appsec.ws/Presentations/FlashFlooding.pdf Broken Link
http://secunia.com/advisories/52074 Third Party Advisory
http://secunia.com/advisories/54206 Third Party Advisory
http://secunia.com/advisories/58854 Third Party Advisory
http://typo3.org/teams/security/security-bulletins/typo3-extensions/typo3-ext-sa-2014-009 Broken Link
http://web.appsec.ws/FlashExploitDatabase.php Broken Link
https://bugs.launchpad.net/mahara/+bug/1103748 Third Party Advisory
https://code.google.com/p/flowplayer-core/issues/detail?id=441 Exploit,Third Party Advisory
https://mahara.org/interaction/forum/topic.php?id=5237 Third Party Advisory
https://www.securityfocus.com/bid/48651 Third Party Advisory,VDB Entry
http://appsec.ws/Presentations/FlashFlooding.pdf Broken Link
http://secunia.com/advisories/52074 Third Party Advisory
http://secunia.com/advisories/54206 Third Party Advisory
http://secunia.com/advisories/58854 Third Party Advisory
http://typo3.org/teams/security/security-bulletins/typo3-extensions/typo3-ext-sa-2014-009 Broken Link
http://web.appsec.ws/FlashExploitDatabase.php Broken Link
https://bugs.launchpad.net/mahara/+bug/1103748 Third Party Advisory
https://code.google.com/p/flowplayer-core/issues/detail?id=441 Exploit,Third Party Advisory
https://mahara.org/interaction/forum/topic.php?id=5237 Third Party Advisory
https://www.securityfocus.com/bid/48651 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2011-3642, you might also want to check these: