CVE-2010-10015

AOL versions up to and including 9.5 includes an ActiveX control (Phobos.dll) that exposes a method called Import() via the Phobos.Playlist COM object. This method is vulnerable to a stack-based buffer overflow when provided with an excessively long string argument. Exploitation allows remote attackers to execute arbitrary code in the context of the user, but only when the malicious HTML file is opened locally, due to the control not being marked safe for scripting or initialization. AOL remains an active and supported brand offering services like AOL Mail and AOL Desktop Gold, but the legacy AOL 9.5 desktop software—specifically the version containing the vulnerable Phobos.dll ActiveX control—is long discontinued and no longer maintained.

CVSS

No CVSS.

References

Link	Resource
http://www.exploit-db.com/exploits/11190
https://appdb.winehq.org/objectManager.php?sClass=version&iId=20354
https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/windows/fileformat/aol_phobos_bof.rb
https://web.archive.org/web/20100804162117/http://www.rec-sec.com/2010/01/25/aol-playlist-class-buffer-overflow/
https://www.broadcom.com/support/security-center/attacksignatures/detail?asid=26569
https://www.exploit-db.com/exploits/11204
https://www.fortiguard.com/encyclopedia/ips/32026/aol-phobos-dll-activex-control-import-buffer-overflow
https://www.vulncheck.com/advisories/aol-phobos-playlist-import-stack-based-buffer-overflow
https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/windows/fileformat/aol_phobos_bof.rb
https://www.exploit-db.com/exploits/11190
https://www.exploit-db.com/exploits/11204

Configurations

No configuration.

History

22 Aug 2025, 16:15

Type	Values Removed	Values Added
Summary		(es) Las versiones de AOL hasta la 9.5 incluida incluyen un control ActiveX (Phobos.dll) que expone un método llamado Import() a través del objeto COM Phobos.Playlist. Este método es vulnerable a un desbordamiento de búfer basado en la pila cuando se le proporciona un argumento de cadena excesivamente largo. Esta explotación permite a atacantes remotos ejecutar código arbitrario en el contexto del usuario, pero solo cuando el archivo HTML malicioso se abre localmente, ya que el control no está marcado como seguro para scripting o inicialización. AOL sigue siendo una marca activa y con soporte, que ofrece servicios como AOL Mail y AOL Desktop Gold, pero el software de escritorio heredado de AOL 9.5 —en concreto, la versión que contiene el control ActiveX vulnerable Phobos.dll— lleva tiempo descontinuado y sin mantenimiento.
References		() https://www.exploit-db.com/exploits/11190 -
References	~~() https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/windows/fileformat/aol_phobos_bof.rb -~~	() https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/windows/fileformat/aol_phobos_bof.rb -
References	~~() https://www.exploit-db.com/exploits/11204 -~~	() https://www.exploit-db.com/exploits/11204 -

21 Aug 2025, 20:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-08-21 20:15

Updated : 2025-08-22 18:08

NVD link : CVE-2010-10015

Mitre link : CVE-2010-10015

CVE.ORG link : CVE-2010-10015

JSON object : View

Products Affected

No product.

CWE

CWE-121

Stack-based Buffer Overflow

JSON object

Attach tags to CVE-2010-10015

Attach tags to `CVE-2010-10015`