CVE-2011-1221
Description
Cross-zone scripting vulnerability in the RealPlayer ActiveX control in RealNetworks RealPlayer 11.0 through 11.1 and 14.0.0 through 14.0.5, RealPlayer SP 1.0 through 1.1.5, and RealPlayer Enterprise 2.0 through 2.1.5 allows remote attackers to inject arbitrary web script or HTML in the Local Zone via a local HTML document, a different vulnerability than CVE-2011-2947.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cross-zone scripting in RealPlayer ActiveX control allows remote attackers to inject arbitrary web script or HTML in the Local Zone via a local HTML document.
Vulnerability
A cross-zone scripting vulnerability exists in the RealPlayer ActiveX control, affecting RealPlayer 11.0 through 11.1, 14.0.0 through 14.0.5, RealPlayer SP 1.0 through 1.1.5, and RealPlayer Enterprise 2.0 through 2.1.5. The flaw allows a remote attacker to inject arbitrary web script or HTML into the Local Zone by leveraging a local HTML document processed by the control [1].
Exploitation
An attacker can craft a malicious local HTML document that, when opened by a victim (e.g., via a downloaded file or a network share), triggers the vulnerable ActiveX control to execute injected script in the Local Zone. No authentication is required, and the attack can be performed remotely by enticing the user to access the crafted document [1].
Impact
Successful exploitation enables the attacker to execute arbitrary script or HTML in the Local Zone, which typically has higher privileges than the Internet Zone. This can lead to unauthorized access to local resources, data theft, or further compromise of the affected system [1].
Mitigation
RealNetworks released a security update on August 16, 2011, to address this vulnerability. Users should upgrade to the latest version of RealPlayer as specified in the advisory [1]. No workarounds are documented; applying the patch is the recommended mitigation.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
27cpe:2.3:a:realnetworks:realplayer:11.0:*:*:*:*:*:*:*+ 14 more
- cpe:2.3:a:realnetworks:realplayer:11.0:*:*:*:*:*:*:*
- cpe:2.3:a:realnetworks:realplayer:11.1:*:*:*:*:*:*:*
- cpe:2.3:a:realnetworks:realplayer:14.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:realnetworks:realplayer:14.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:realnetworks:realplayer:14.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:realnetworks:realplayer:14.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:realnetworks:realplayer:14.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:realnetworks:realplayer:14.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:realnetworks:realplayer:2.0:*:enterprise:*:*:*:*:*
- cpe:2.3:a:realnetworks:realplayer:2.1.2:*:enterprise:*:*:*:*:*
- cpe:2.3:a:realnetworks:realplayer:2.1.3:*:enterprise:*:*:*:*:*
- cpe:2.3:a:realnetworks:realplayer:2.1.4:*:enterprise:*:*:*:*:*
- cpe:2.3:a:realnetworks:realplayer:2.1.5:*:enterprise:*:*:*:*:*
- cpe:2.3:a:realnetworks:realplayer:2.1:*:enterprise:*:*:*:*:*
- (no CPE)range: >=11.0 <=11.1, >=14.0.0 <=14.0.5
cpe:2.3:a:realnetworks:realplayer_sp:1.0.0:*:*:*:*:*:*:*+ 10 more
- cpe:2.3:a:realnetworks:realplayer_sp:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:realnetworks:realplayer_sp:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:realnetworks:realplayer_sp:1.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:realnetworks:realplayer_sp:1.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:realnetworks:realplayer_sp:1.1:*:*:*:*:*:*:*
- cpe:2.3:a:realnetworks:realplayer_sp:1.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:realnetworks:realplayer_sp:1.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:realnetworks:realplayer_sp:1.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:realnetworks:realplayer_sp:1.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:realnetworks:realplayer_sp:1.1.5:*:*:*:*:*:*:*
- (no CPE)range: >=1.0 <=1.1.5
- Range: >=2.0 <=2.1.5
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- service.real.com/realplayer/security/08162011_player/en/nvdVendor Advisory
News mentions
0No linked articles in our index yet.