VYPR
← All advisories
Unrated severityNVD Advisory· Published Aug 18, 2011· Updated Apr 29, 2026

CVE-2011-2947

CVE-2011-2947

Description

Cross-zone scripting vulnerability in the RealPlayer ActiveX control in RealNetworks RealPlayer 11.0 through 11.1 and 14.0.0 through 14.0.5 and RealPlayer SP 1.0 through 1.1.5 allows remote attackers to inject arbitrary web script or HTML in the Local Zone via a local HTML document.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

RealPlayer ActiveX control cross-zone scripting allows remote code execution via local HTML files in the Local Zone.

Vulnerability

A cross-zone scripting vulnerability exists in the RealPlayer ActiveX control in RealNetworks RealPlayer versions 11.0 through 11.1, 14.0.0 through 14.0.5, and RealPlayer SP 1.0 through 1.1.5. The control allows loading local HTML files with scripting enabled without any security warning, enabling arbitrary web script or HTML injection in the Local Zone [1][2].

Exploitation

An attacker can exploit this vulnerability by convincing a user to visit a malicious web page or open a malicious file. The RealPlayer ActiveX control can be scripted from a web browser to load a local HTML file, which then executes script in the Local Zone context. No authentication or special network position is required beyond user interaction [2].

Impact

Successful exploitation allows remote code execution under the context of the current user. The attacker gains the ability to inject arbitrary script or HTML into the Local Zone, potentially leading to full compromise of the affected system [2].

Mitigation

RealNetworks released a security advisory on August 16, 2011, addressing this vulnerability [1]. Users should upgrade to the latest version of RealPlayer as specified in the advisory. No workaround is available; applying the vendor-supplied update is the recommended mitigation.

References
  1. Home to the video player and downloader, RealPlayer from RealNetworks
  2. ZDI-11-269

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

19
  • RealNetworks/Realplayer9 versions
    cpe:2.3:a:realnetworks:realplayer:11.0:*:*:*:*:*:*:*+ 8 more
    • cpe:2.3:a:realnetworks:realplayer:11.0:*:*:*:*:*:*:*
    • cpe:2.3:a:realnetworks:realplayer:11.1:*:*:*:*:*:*:*
    • cpe:2.3:a:realnetworks:realplayer:14.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:realnetworks:realplayer:14.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:realnetworks:realplayer:14.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:realnetworks:realplayer:14.0.3:*:*:*:*:*:*:*
    • cpe:2.3:a:realnetworks:realplayer:14.0.4:*:*:*:*:*:*:*
    • cpe:2.3:a:realnetworks:realplayer:14.0.5:*:*:*:*:*:*:*
    • (no CPE)range: >=11.0 <=11.1, >=14.0.0 <=14.0.5, SP >=1.0 <=1.1.5
  • RealNetworks/Realplayer Sp10 versions
    cpe:2.3:a:realnetworks:realplayer_sp:1.0.0:*:*:*:*:*:*:*+ 9 more
    • cpe:2.3:a:realnetworks:realplayer_sp:1.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:realnetworks:realplayer_sp:1.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:realnetworks:realplayer_sp:1.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:realnetworks:realplayer_sp:1.0.5:*:*:*:*:*:*:*
    • cpe:2.3:a:realnetworks:realplayer_sp:1.1:*:*:*:*:*:*:*
    • cpe:2.3:a:realnetworks:realplayer_sp:1.1.1:*:*:*:*:*:*:*
    • cpe:2.3:a:realnetworks:realplayer_sp:1.1.2:*:*:*:*:*:*:*
    • cpe:2.3:a:realnetworks:realplayer_sp:1.1.3:*:*:*:*:*:*:*
    • cpe:2.3:a:realnetworks:realplayer_sp:1.1.4:*:*:*:*:*:*:*
    • cpe:2.3:a:realnetworks:realplayer_sp:1.1.5:*:*:*:*:*:*:*

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.