Vulnerability in LongTail Video JW Player Could Allow Cross-Site Scripting

Executive Summary

Microsoft is providing notification of the discovery and remediation of a vulnerability affecting LongTail Video JW Player software version 5.9.2145 and earlier versions. Microsoft discovered and disclosed the vulnerability under coordinated vulnerability disclosure to the affected vendor, LongTail Video. LongTail Video has remediated the vulnerability in their software.

A vulnerability exists in the way that the JW Player handles user input that results in a cross-site scripting issue. An attacker who successfully exploited the vulnerability could perform cross-site scripting attacks against users that visit websites that utilize JW Player. An attacker could then potentially run script in the context of the site user.

Microsoft Vulnerability Research reported this issue to and coordinated with LongTail Video to ensure remediation of this issue. The vulnerability has been assigned the entry, CVE-2012-3351, in the Common Vulnerabilities and Exposures list. For more information, including information about updates from LongTail Video, see LongTail Video Ticket 1585.

Mitigating Factors

• An attacker must convince a victim to click a malicious link that has a specially crafted URL.