A Persistent XSS vulnerability exists in Kodi (formerly XBMC) through 17.6 that allows the execution of arbitrary HTML/script code in the context of the victim user's browser via a playlist.
{"prion": [{"lastseen": "2023-11-22T02:53:14", "description": "A Persistent XSS vulnerability exists in Kodi (formerly XBMC) through 17.6 that allows the execution of arbitrary HTML/script code in the context of the victim user's browser via a playlist.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2018-04-18T17:29:00", "type": "prion", "title": "Cross site scripting", "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-8831"], "modified": "2018-05-22T16:55:00", "id": "PRION:CVE-2018-8831", "href": "https://www.prio-n.com/kb/vulnerability/CVE-2018-8831", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "exploitpack": [{"lastseen": "2020-04-01T19:04:24", "description": "\nKodi 17.6 - Persistent Cross-Site Scripting", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 6.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 2.7}, "published": "2018-04-18T00:00:00", "type": "exploitpack", "title": "Kodi 17.6 - Persistent Cross-Site Scripting", "bulletinFamily": "exploit", "hackapp": {}, "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-8831"], "modified": "2018-04-18T00:00:00", "id": "EXPLOITPACK:580E26EC4982088A8BC5D4264B3AE48D", "href": "", "sourceData": "=============================================\nMGC ALERT 2018-003\n- Original release date: March 19, 2018\n- Last revised: April 16, 2018\n- Discovered by: Manuel Garcia Cardenas\n- Severity: 4,8/10 (CVSS Base Score)\n- CVE-ID: CVE-2018-8831\n=============================================\n\nI. VULNERABILITY\n-------------------------\nKodi <= 17.6 - Persistent Cross-Site Scripting\n\nII. BACKGROUND\n-------------------------\nKodi (formerly XBMC) is a free and open-source media player software\napplication developed by the XBMC Foundation, a non-profit technology\nconsortium. Kodi is available for multiple operating systems and hardware\nplatforms, with a software 10-foot user interface for use with televisions\nand remote controls.\n\nIII. DESCRIPTION\n-------------------------\nHas been detected a Persistent XSS vulnerability in the web interface of\nKodi, that allows the execution of arbitrary HTML/script code to be\nexecuted in the context of the victim user's browser.\n\nIV. PROOF OF CONCEPT\n-------------------------\nGo to: Playlist -> Create\n\nCreate a playlist injecting javascript code:\n\n<img src=x onerror=alert(1)>\n\nThe XSS is executed, in the victim browser.\n\nV. BUSINESS IMPACT\n-------------------------\nAn attacker can execute arbitrary HTML or script code in a targeted user's\nbrowser, this can leverage to steal sensitive information as user\ncredentials, personal data, etc.\n\nVI. SYSTEMS AFFECTED\n-------------------------\nKodi <= 17.6\n\nVII. SOLUTION\n-------------------------\nVendor include the fix:\nhttps://trac.kodi.tv/ticket/17814\n\nVIII. REFERENCES\n-------------------------\nhttps://kodi.tv/\n\nIX. CREDITS\n-------------------------\nThis vulnerability has been discovered and reported\nby Manuel Garcia Cardenas (advidsec (at) gmail (dot) com).\n\nX. REVISION HISTORY\n-------------------------\nMarch 19, 2018 1: Initial release\nApril 16, 2018 2: Last revision\n\nXI. DISCLOSURE TIMELINE\n-------------------------\nMarch 19, 2018 1: Vulnerability acquired by Manuel Garcia Cardenas\nMarch 19, 2018 2: Send to vendor\nMarch 30, 2018 3: Vendo fix\nApril 16, 2018 4: Sent to lists\n\nXII. LEGAL NOTICES\n-------------------------\nThe information contained within this advisory is supplied \"as-is\" with no\nwarranties or guarantees of fitness of use or otherwise.\n\nXIII. ABOUT\n-------------------------\nManuel Garcia Cardenas\nPentester", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "debiancve": [{"lastseen": "2023-12-01T18:25:27", "description": "A Persistent XSS vulnerability exists in Kodi (formerly XBMC) through 17.6 that allows the execution of arbitrary HTML/script code in the context of the victim user's browser via a playlist.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2018-04-18T17:29:00", "type": "debiancve", "title": "CVE-2018-8831", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-8831"], "modified": "2018-04-18T17:29:00", "id": "DEBIANCVE:CVE-2018-8831", "href": "https://security-tracker.debian.org/tracker/CVE-2018-8831", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "ubuntucve": [{"lastseen": "2023-12-02T14:59:51", "description": "A Persistent XSS vulnerability exists in Kodi (formerly XBMC) through 17.6\nthat allows the execution of arbitrary HTML/script code in the context of\nthe victim user's browser via a playlist.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2018-04-18T00:00:00", "type": "ubuntucve", "title": "CVE-2018-8831", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-8831"], "modified": "2018-04-18T00:00:00", "id": "UB:CVE-2018-8831", "href": "https://ubuntu.com/security/CVE-2018-8831", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "zdt": [{"lastseen": "2018-04-20T19:55:42", "description": "Exploit for multiple platform in category web applications", "cvss3": {}, "published": "2018-04-18T00:00:00", "type": "zdt", "title": "Kodi 17.6 - Persistent Cross-Site Scripting Vulnerability", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2018-8831"], "modified": "2018-04-18T00:00:00", "id": "1337DAY-ID-30209", "href": "https://0day.today/exploit/description/30209", "sourceData": "=============================================\r\nMGC ALERT 2018-003\r\n- Original release date: March 19, 2018\r\n- Last revised: April 16, 2018\r\n- Discovered by: Manuel Garcia Cardenas\r\n- Severity: 4,8/10 (CVSS Base Score)\r\n- CVE-ID: CVE-2018-8831\r\n=============================================\r\n \r\nI. VULNERABILITY\r\n-------------------------\r\nKodi <= 17.6 - Persistent Cross-Site Scripting\r\n \r\nII. BACKGROUND\r\n-------------------------\r\nKodi (formerly XBMC) is a free and open-source media player software\r\napplication developed by the XBMC Foundation, a non-profit technology\r\nconsortium. Kodi is available for multiple operating systems and hardware\r\nplatforms, with a software 10-foot user interface for use with televisions\r\nand remote controls.\r\n \r\nIII. DESCRIPTION\r\n-------------------------\r\nHas been detected a Persistent XSS vulnerability in the web interface of\r\nKodi, that allows the execution of arbitrary HTML/script code to be\r\nexecuted in the context of the victim user's browser.\r\n \r\nIV. PROOF OF CONCEPT\r\n-------------------------\r\nGo to: Playlist -> Create\r\n \r\nCreate a playlist injecting javascript code:\r\n \r\n<img src=x onerror=alert(1)>\r\n \r\nThe XSS is executed, in the victim browser.\r\n \r\nV. BUSINESS IMPACT\r\n-------------------------\r\nAn attacker can execute arbitrary HTML or script code in a targeted user's\r\nbrowser, this can leverage to steal sensitive information as user\r\ncredentials, personal data, etc.\r\n \r\nVI. SYSTEMS AFFECTED\r\n-------------------------\r\nKodi <= 17.6\r\n \r\nVII. SOLUTION\r\n-------------------------\r\nVendor include the fix:\r\nhttps://trac.kodi.tv/ticket/17814\r\n \r\nVIII. REFERENCES\r\n-------------------------\r\nhttps://kodi.tv/\r\n \r\nIX. CREDITS\r\n-------------------------\r\nThis vulnerability has been discovered and reported\r\nby Manuel Garcia Cardenas (advidsec (at) gmail (dot) com).\r\n \r\nX. REVISION HISTORY\r\n-------------------------\r\nMarch 19, 2018 1: Initial release\r\nApril 16, 2018 2: Last revision\r\n \r\nXI. DISCLOSURE TIMELINE\r\n-------------------------\r\nMarch 19, 2018 1: Vulnerability acquired by Manuel Garcia Cardenas\r\nMarch 19, 2018 2: Send to vendor\r\nMarch 30, 2018 3: Vendo fix\r\nApril 16, 2018 4: Sent to lists\r\n \r\nXII. LEGAL NOTICES\r\n-------------------------\r\nThe information contained within this advisory is supplied \"as-is\" with no\r\nwarranties or guarantees of fitness of use or otherwise.\r\n \r\nXIII. ABOUT\r\n-------------------------\r\nManuel Garcia Cardenas\r\nPentester\n\n# 0day.today [2018-04-20] #", "sourceHref": "https://0day.today/exploit/30209", "cvss": {"score": 0.0, "vector": "NONE"}}], "packetstorm": [{"lastseen": "2018-04-19T09:07:42", "description": "", "cvss3": {}, "published": "2018-04-18T00:00:00", "type": "packetstorm", "title": "Kodi 17.6 Cross Site Scripting", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2018-8831"], "modified": "2018-04-18T00:00:00", "id": "PACKETSTORM:147240", "href": "https://packetstormsecurity.com/files/147240/Kodi-17.6-Cross-Site-Scripting.html", "sourceData": "`============================================= \nMGC ALERT 2018-003 \n- Original release date: March 19, 2018 \n- Last revised: April 16, 2018 \n- Discovered by: Manuel Garcia Cardenas \n- Severity: 4,8/10 (CVSS Base Score) \n- CVE-ID: CVE-2018-8831 \n============================================= \n \nI. VULNERABILITY \n------------------------- \nKodi <= 17.6 - Persistent Cross-Site Scripting \n \nII. BACKGROUND \n------------------------- \nKodi (formerly XBMC) is a free and open-source media player software \napplication developed by the XBMC Foundation, a non-profit technology \nconsortium. Kodi is available for multiple operating systems and hardware \nplatforms, with a software 10-foot user interface for use with televisions \nand remote controls. \n \nIII. DESCRIPTION \n------------------------- \nHas been detected a Persistent XSS vulnerability in the web interface of \nKodi, that allows the execution of arbitrary HTML/script code to be \nexecuted in the context of the victim user's browser. \n \nIV. PROOF OF CONCEPT \n------------------------- \nGo to: Playlist -> Create \n \nCreate a playlist injecting javascript code: \n \n<img src=x onerror=alert(1)> \n \nThe XSS is executed, in the victim browser. \n \nV. BUSINESS IMPACT \n------------------------- \nAn attacker can execute arbitrary HTML or script code in a targeted user's \nbrowser, this can leverage to steal sensitive information as user \ncredentials, personal data, etc. \n \nVI. SYSTEMS AFFECTED \n------------------------- \nKodi <= 17.6 \n \nVII. SOLUTION \n------------------------- \nVendor include the fix: \nhttps://trac.kodi.tv/ticket/17814 \n \nVIII. REFERENCES \n------------------------- \nhttps://kodi.tv/ \n \nIX. CREDITS \n------------------------- \nThis vulnerability has been discovered and reported \nby Manuel Garcia Cardenas (advidsec (at) gmail (dot) com). \n \nX. REVISION HISTORY \n------------------------- \nMarch 19, 2018 1: Initial release \nApril 16, 2018 2: Last revision \n \nXI. DISCLOSURE TIMELINE \n------------------------- \nMarch 19, 2018 1: Vulnerability acquired by Manuel Garcia Cardenas \nMarch 19, 2018 2: Send to vendor \nMarch 30, 2018 3: Vendo fix \nApril 16, 2018 4: Sent to lists \n \nXII. LEGAL NOTICES \n------------------------- \nThe information contained within this advisory is supplied \"as-is\" with no \nwarranties or guarantees of fitness of use or otherwise. \n \nXIII. ABOUT \n------------------------- \nManuel Garcia Cardenas \nPentester \n \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/147240/kodi176-xss.txt", "cvss": {"score": 0.0, "vector": "NONE"}}], "cve": [{"lastseen": "2023-12-01T15:49:57", "description": "A Persistent XSS vulnerability exists in Kodi (formerly XBMC) through 17.6 that allows the execution of arbitrary HTML/script code in the context of the victim user's browser via a playlist.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2018-04-18T17:29:00", "type": "cve", "title": "CVE-2018-8831", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-8831"], "modified": "2018-05-22T16:55:00", "cpe": ["cpe:/a:kodi:kodi:17.6"], "id": "CVE-2018-8831", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-8831", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:kodi:kodi:17.6:*:*:*:*:*:*:*"]}], "exploitdb": [{"lastseen": "2023-12-01T15:54:10", "description": "", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2018-04-18T00:00:00", "type": "exploitdb", "title": "Kodi 17.6 - Persistent Cross-Site Scripting", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["2018-8831", "CVE-2018-8831"], "modified": "2018-04-18T00:00:00", "id": "EDB-ID:44487", "href": "https://www.exploit-db.com/exploits/44487", "sourceData": "=============================================\r\nMGC ALERT 2018-003\r\n- Original release date: March 19, 2018\r\n- Last revised: April 16, 2018\r\n- Discovered by: Manuel Garcia Cardenas\r\n- Severity: 4,8/10 (CVSS Base Score)\r\n- CVE-ID: CVE-2018-8831\r\n=============================================\r\n\r\nI. VULNERABILITY\r\n-------------------------\r\nKodi <= 17.6 - Persistent Cross-Site Scripting\r\n\r\nII. BACKGROUND\r\n-------------------------\r\nKodi (formerly XBMC) is a free and open-source media player software\r\napplication developed by the XBMC Foundation, a non-profit technology\r\nconsortium. Kodi is available for multiple operating systems and hardware\r\nplatforms, with a software 10-foot user interface for use with televisions\r\nand remote controls.\r\n\r\nIII. DESCRIPTION\r\n-------------------------\r\nHas been detected a Persistent XSS vulnerability in the web interface of\r\nKodi, that allows the execution of arbitrary HTML/script code to be\r\nexecuted in the context of the victim user's browser.\r\n\r\nIV. PROOF OF CONCEPT\r\n-------------------------\r\nGo to: Playlist -> Create\r\n\r\nCreate a playlist injecting javascript code:\r\n\r\n<img src=x onerror=alert(1)>\r\n\r\nThe XSS is executed, in the victim browser.\r\n\r\nV. BUSINESS IMPACT\r\n-------------------------\r\nAn attacker can execute arbitrary HTML or script code in a targeted user's\r\nbrowser, this can leverage to steal sensitive information as user\r\ncredentials, personal data, etc.\r\n\r\nVI. SYSTEMS AFFECTED\r\n-------------------------\r\nKodi <= 17.6\r\n\r\nVII. SOLUTION\r\n-------------------------\r\nVendor include the fix:\r\nhttps://trac.kodi.tv/ticket/17814\r\n\r\nVIII. REFERENCES\r\n-------------------------\r\nhttps://kodi.tv/\r\n\r\nIX. CREDITS\r\n-------------------------\r\nThis vulnerability has been discovered and reported\r\nby Manuel Garcia Cardenas (advidsec (at) gmail (dot) com).\r\n\r\nX. REVISION HISTORY\r\n-------------------------\r\nMarch 19, 2018 1: Initial release\r\nApril 16, 2018 2: Last revision\r\n\r\nXI. DISCLOSURE TIMELINE\r\n-------------------------\r\nMarch 19, 2018 1: Vulnerability acquired by Manuel Garcia Cardenas\r\nMarch 19, 2018 2: Send to vendor\r\nMarch 30, 2018 3: Vendo fix\r\nApril 16, 2018 4: Sent to lists\r\n\r\nXII. LEGAL NOTICES\r\n-------------------------\r\nThe information contained within this advisory is supplied \"as-is\" with no\r\nwarranties or guarantees of fitness of use or otherwise.\r\n\r\nXIII. ABOUT\r\n-------------------------\r\nManuel Garcia Cardenas\r\nPentester", "sourceHref": "https://www.exploit-db.com/raw/44487", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}]}
CVE-2018-8831
