{"api_version":"1","generated_at":"2026-04-23T11:32:16+00:00","cve":"CVE-2009-3735","urls":{"html":"https://cve.report/CVE-2009-3735","api":"https://cve.report/api/cve/CVE-2009-3735.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2009-3735","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2009-3735"},"summary":{"title":"CVE-2009-3735","description":"The ActiveScan Installer ActiveX control in as2stubie.dll before 1.3.3.0 in PandaActiveScan Installer 2.0 in Panda ActiveScan downloads software in an as2guiie.cab archive located at an arbitrary URL, and does not verify the archive's digital signature before installation, which allows remote attackers to execute arbitrary code via a URL argument to an unspecified method.","state":"PUBLIC","assigner":"cert@cert.org","published_at":"2010-02-11 17:30:00","updated_at":"2018-10-12 21:56:00"},"problem_types":["CWE-94"],"metrics":[],"references":[{"url":"http://www.kb.cert.org/vuls/id/869993","name":"VU#869993","refsource":"CERT-VN","tags":["US Government Resource"],"title":"VU#869993 - Panda Security ActiveScan fails to properly validate downloaded software","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.securityfocus.com/bid/38067","name":"38067","refsource":"BID","tags":[],"title":"Panda ActiveScan 'as2stubie.dll' ActiveX Control Remote Code Execution Vulnerability","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"http://www.vupen.com/english/advisories/2010/0354","name":"ADV-2010-0354","refsource":"VUPEN","tags":["Vendor Advisory"],"title":"Webmail : Solution de messagerie professionnelle - OVHcloud- OVH","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://secunia.com/advisories/38485","name":"38485","refsource":"SECUNIA","tags":["Vendor Advisory"],"title":"Panda ActiveScan \"as2stubie.dll\" Unverified CAB Installation - Advisories - Community","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.kb.cert.org/vuls/id/MAPG-7QPKL3","name":"http://www.kb.cert.org/vuls/id/MAPG-7QPKL3","refsource":"MISC","tags":[],"title":"Panda Software Ltd. Information for VU#869993","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-008","name":"MS10-008","refsource":"MS","tags":[],"title":"Microsoft Security Bulletin MS10-008 - Critical | Microsoft Docs","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2009-3735","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2009-3735","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2009","cve_id":"3735","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"panda","cpe5":"panda_activescan","cpe6":"2.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2009","cve_id":"3735","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"panda","cpe5":"panda_activescan","cpe6":"2.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cert@cert.org","ID":"CVE-2009-3735","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"The ActiveScan Installer ActiveX control in as2stubie.dll before 1.3.3.0 in PandaActiveScan Installer 2.0 in Panda ActiveScan downloads software in an as2guiie.cab archive located at an arbitrary URL, and does not verify the archive's digital signature before installation, which allows remote attackers to execute arbitrary code via a URL argument to an unspecified method."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"name":"ADV-2010-0354","refsource":"VUPEN","url":"http://www.vupen.com/english/advisories/2010/0354"},{"name":"MS10-008","refsource":"MS","url":"https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-008"},{"name":"http://www.kb.cert.org/vuls/id/MAPG-7QPKL3","refsource":"MISC","url":"http://www.kb.cert.org/vuls/id/MAPG-7QPKL3"},{"name":"38067","refsource":"BID","url":"http://www.securityfocus.com/bid/38067"},{"name":"VU#869993","refsource":"CERT-VN","url":"http://www.kb.cert.org/vuls/id/869993"},{"name":"38485","refsource":"SECUNIA","url":"http://secunia.com/advisories/38485"}]}},"nvd":{"publishedDate":"2010-02-11 17:30:00","lastModifiedDate":"2018-10-12 21:56:00","problem_types":["CWE-94"],"metrics":{"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:C/I:C/A:C","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"COMPLETE","integrityImpact":"COMPLETE","availabilityImpact":"COMPLETE","baseScore":9.3},"severity":"HIGH","exploitabilityScore":8.6,"impactScore":10,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":true}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:panda:panda_activescan:2.0:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2009","CveId":"3735","Ordinal":"40953","Title":"CVE-2009-3735","CVE":"CVE-2009-3735","Year":"2009"},"notes":[{"CveYear":"2009","CveId":"3735","Ordinal":"1","NoteData":"The ActiveScan Installer ActiveX control in as2stubie.dll before 1.3.3.0 in PandaActiveScan Installer 2.0 in Panda ActiveScan downloads software in an as2guiie.cab archive located at an arbitrary URL, and does not verify the archive's digital signature before installation, which allows remote attackers to execute arbitrary code via a URL argument to an unspecified method.","Type":"Description","Title":null},{"CveYear":"2009","CveId":"3735","Ordinal":"2","NoteData":"2010-02-11","Type":"Other","Title":"Published"},{"CveYear":"2009","CveId":"3735","Ordinal":"3","NoteData":"2018-10-12","Type":"Other","Title":"Modified"}]}}}