This vulnerability allows remote attackers to execute arbitrary code on affected installations of GoPro Player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of MOV files. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated structure. An attacker can leverage this vulnerability to execute code in the context of the current process.
{"id": "ZDI-21-788", "vendorId": null, "type": "zdi", "bulletinFamily": "info", "title": "(0Day) GoPro Player MOV File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability", "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of GoPro Player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of MOV files. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated structure. An attacker can leverage this vulnerability to execute code in the context of the current process.", "published": "2021-07-13T00:00:00", "modified": "2021-07-13T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://www.zerodayinitiative.com/advisories/ZDI-21-788/", "reporter": "garmin", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-07-13T06:34:02", "viewCount": 31, "enchantments": {"dependencies": {}, "score": {"value": 4.5, "vector": "NONE"}, "backreferences": {}, "exploitation": null, "vulnersScore": 4.5}, "_state": {"dependencies": 1646160432, "score": 1684008354, "epss": 1679098904}, "_internal": {"score_hash": "e6d08b78c87eff28349c826d005071e5"}}
(0Day) GoPro Player MOV File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability