CVE-2010-10015

EPSS 0.12%
Published 21.08.2025 20:15:30
Last modified 22.08.2025 18:08:51
Source disclosure@vulncheck.com
Teams watchlist Login
Open Login

AOL versions up to and including 9.5 includes an ActiveX control (Phobos.dll) that exposes a method called Import() via the Phobos.Playlist COM object. This method is vulnerable to a stack-based buffer overflow when provided with an excessively long string argument. Exploitation allows remote attackers to execute arbitrary code in the context of the user, but only when the malicious HTML file is opened locally, due to the control not being marked safe for scripting or initialization. AOL remains an active and supported brand offering services like AOL Mail and AOL Desktop Gold, but the legacy AOL 9.5 desktop software—specifically the version containing the vulnerable Phobos.dll ActiveX control—is long discontinued and no longer maintained.

Affected products Warnungen 0 Metrics 2 CWE 1 References 12

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

This information is available to logged-in users.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

VendorAOL

≫

Product AOL

Default Statusunaffected

Version <= 9.5 (Revision 4337.155)

Version *

Status affected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.12%	0.309

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
disclosure@vulncheck.com	8.4	0	0	CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-121 Stack-based Buffer Overflow

A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).

http://www.exploit-db.com/exploits/11190

https://appdb.winehq.org/objectManager.php?sClass=version&iId=20354

https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/windows/fileformat/aol_phobos_bof.rb

https://web.archive.org/web/20100804162117/http://www.rec-sec.com/2010/01/25/aol-playlist-class-buffer-overflow/

https://www.broadcom.com/support/security-center/attacksignatures/detail?asid=26569

https://www.exploit-db.com/exploits/11204

https://www.fortiguard.com/encyclopedia/ips/32026/aol-phobos-dll-activex-control-import-buffer-overflow

https://www.vulncheck.com/advisories/aol-phobos-playlist-import-stack-based-buffer-overflow

https://www.exploit-db.com/exploits/11190

https://nvd.nist.gov/vuln/detail/CVE-2010-10015

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2010-10015

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2010-10015

EUVD