Lucene search

[email protected]NVD:CVE-2022-25229

HistoryMay 20, 2022 - 11:15 a.m.

CVE-2022-25229

2022-05-2011:15:07

CWE-79

[email protected]

web.nvd.nist.gov

popcorn time

stored xss

movies api server

nodejs

os commands

CVSS2

3.5

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

21.8%

JSON

Popcorn Time 0.4.7 has a Stored XSS in the ‘Movies API Server(s)’ field via the ‘settings’ page. The ‘nodeIntegration’ configuration is set to on which allows the ‘webpage’ to use ‘NodeJs’ features, an attacker can leverage this to run OS commands.

Affected configurations

Nvd

Node

popcorn_time_projectpopcorn_timeMatch0.4.7

VendorProductVersionCPE
popcorn_time_projectpopcorn_time0.4.7cpe:2.3:a:popcorn_time_project:popcorn_time:0.4.7:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
popcorn_time_project	popcorn_time	0.4.7	cpe:2.3:a:popcorn_time_project:popcorn_time:0.4.7:::::::*

References

fluidattacks.com/advisories/bowie/

github.com/popcorn-official/popcorn-desktop/issues/2491

CVSS2

3.5

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

21.8%

JSON

Related for NVD:CVE-2022-25229

cnvd1 cvelist1 prion1 osv1 cve1