Description
Winamp 2.65 through 3.0 stores skin files in a predictable file location, which allows remote attackers to execute arbitrary code via a URL reference to (1) wsz and (2) wal files that contain embedded code.
Products
- Nullsoft Winamp 2.65
- Nullsoft Winamp 2.70
- Nullsoft Winamp 2.71
- Nullsoft Winamp 2.72
- Nullsoft Winamp 2.73
- Nullsoft Winamp 2.74
- Nullsoft Winamp 2.75
- Nullsoft Winamp 2.76
- Nullsoft Winamp 2.77
- Nullsoft Winamp 2.78
- Nullsoft Winamp 2.79
- Nullsoft Winamp 2.80
- Nullsoft Winamp 3.1
Questions to Ask Vendors
- Can you confirm whether your systems are affected by CVE-2002-2392, and if so, what steps are you currently taking to mitigate this vulnerability?
- What is your estimated timeline for fully resolving CVE-2002-2392 in your products or services, and how will you communicate updates on this issue to us as your customer?
Recommended Actions
- Check out the advisory links provided below.
References