GitHub Advisory DatabaseGHSA-3JCQ-CWR7-6332jplayer Cross Site Scripting vulnerability
6.2 Medium
AI Score
Confidence
High
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.003 Low
EPSS
Percentile
68.4%
Multiple cross-site scripting (XSS) vulnerabilities in actionscript/Jplayer.as in the Flash SWF component (jplayer.swf) in jPlayer before 2.3.0 allow remote attackers to inject arbitrary web script or HTML via the (1) jQuery or (2) id parameters, a different vulnerability than CVE-2013-1942 and CVE-2013-2023, as demonstrated by using the alert function in the jQuery parameter. NOTE: these are the same parameters as CVE-2013-1942, but the fix for CVE-2013-1942 uses a blacklist for the jQuery parameter.
References
marc.info/?l=oss-security&m=136570964825921&w=2
marc.info/?l=oss-security&m=136726705917858&w=2
marc.info/?l=oss-security&m=136773622321563&w=2
seclists.org/fulldisclosure/2013/Apr/192
www.jplayer.org/2.3.0/release-notes
www.openwall.com/lists/oss-security/2013/06/27/7
www.openwall.com/lists/oss-security/2013/07/04/5
github.com/advisories/GHSA-3jcq-cwr7-6332
github.com/happyworm/jPlayer/commit/c5fe17bb4459164bd59153b57248cf94b8867373
github.com/jplayer/jPlayer/commit/c5fe17bb4459164bd59153b57248cf94b8867373
nvd.nist.gov/vuln/detail/CVE-2013-2022
Related
6.2 Medium
AI Score
Confidence
High
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.003 Low
EPSS
Percentile
68.4%