Rapid7 Vulnerability & Exploit Database

QuickTime: XSS and other attacks malicious QTL files with embedded XML elements (CVE-2006-4965)

Back to Search

QuickTime: XSS and other attacks malicious QTL files with embedded XML elements (CVE-2006-4965)

Severity
5
CVSS
(AV:N/AC:L/Au:N/C:N/I:P/A:N)
Published
09/24/2006
Created
07/25/2018
Added
10/25/2010
Modified
02/20/2020

Description

A cross-zone scripting issue exists in QuickTime's browser plugin. By enticing a user to open a malicious QuickTime movie file or QTL file, an attacker can trigger the issue, which may lead to arbitrary JavaScript code execution in context of the local domain. This issue has been described on the Month of Apple Bugs web site (MOAB-03-01-2007). This update addresses the issue by making the following changes to the handling of URLs in the qtnext attribute of QTL files, and HREFTracks in QuickTime movies. Only "http:" and "https:" URLs are allowed if the movie is loaded from a remote site. Only "file:" URLs are allowed if the movie is loaded locally.

Solution(s)

  • quicktime-upgrade-7_1_5

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;