CVE-2022-32271: 
RealPlayer Cloud vulnerability analysis and mitigation

In Real Player 20.0.8.310, there is a DCP:// URI Remote Arbitrary Code Execution Vulnerability (CVE-2022-32271). This vulnerability affects the internal URL Protocol used by Real Player to reference files containing URLs. The issue was disclosed on June 3, 2022, and affects Real Player version 20.0.8.310 and potentially earlier versions (NVD).

The vulnerability exists in the DCP:// (Data Cache Protocol) URI scheme, which is an internal protocol used by Real Player to retrieve URLs for display in the Player browser tab. The protocol retrieves files from '%appdata%\real\realplayer'. The vulnerability allows attackers to inject script code to arbitrary domains and reference arbitrary local files. The CVSS v3.1 base score is 9.6 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H) (NVD, GitHub POC).

The vulnerability allows attackers to execute arbitrary code in the context of the current user through a combination of file planting and DCP:// URI manipulation. This can lead to complete system compromise, allowing attackers to gain access to sensitive data and execute malicious code on the affected system (GitHub POC).

No official patches or mitigations have been explicitly documented in the available sources. Users are advised to exercise caution when opening files or clicking on links in Real Player, and consider using alternative media players until a fix is available.