Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormManuel Garcia CardenasPACKETSTORM:147240
HistoryApr 18, 2018 - 12:00 a.m.

Kodi 17.6 Cross Site Scripting

2018-04-1800:00:00
Manuel Garcia Cardenas
packetstormsecurity.com
39

0.897 High

EPSS

Percentile

98.8%

JSON
`=============================================  
MGC ALERT 2018-003  
- Original release date: March 19, 2018  
- Last revised: April 16, 2018  
- Discovered by: Manuel Garcia Cardenas  
- Severity: 4,8/10 (CVSS Base Score)  
- CVE-ID: CVE-2018-8831  
=============================================  
  
I. VULNERABILITY  
-------------------------  
Kodi <= 17.6 - Persistent Cross-Site Scripting  
  
II. BACKGROUND  
-------------------------  
Kodi (formerly XBMC) is a free and open-source media player software  
application developed by the XBMC Foundation, a non-profit technology  
consortium. Kodi is available for multiple operating systems and hardware  
platforms, with a software 10-foot user interface for use with televisions  
and remote controls.  
  
III. DESCRIPTION  
-------------------------  
Has been detected a Persistent XSS vulnerability in the web interface of  
Kodi, that allows the execution of arbitrary HTML/script code to be  
executed in the context of the victim user's browser.  
  
IV. PROOF OF CONCEPT  
-------------------------  
Go to: Playlist -> Create  
  
Create a playlist injecting javascript code:  
  
<img src=x onerror=alert(1)>  
  
The XSS is executed, in the victim browser.  
  
V. BUSINESS IMPACT  
-------------------------  
An attacker can execute arbitrary HTML or script code in a targeted user's  
browser, this can leverage to steal sensitive information as user  
credentials, personal data, etc.  
  
VI. SYSTEMS AFFECTED  
-------------------------  
Kodi <= 17.6  
  
VII. SOLUTION  
-------------------------  
Vendor include the fix:  
https://trac.kodi.tv/ticket/17814  
  
VIII. REFERENCES  
-------------------------  
https://kodi.tv/  
  
IX. CREDITS  
-------------------------  
This vulnerability has been discovered and reported  
by Manuel Garcia Cardenas (advidsec (at) gmail (dot) com).  
  
X. REVISION HISTORY  
-------------------------  
March 19, 2018 1: Initial release  
April 16, 2018 2: Last revision  
  
XI. DISCLOSURE TIMELINE  
-------------------------  
March 19, 2018 1: Vulnerability acquired by Manuel Garcia Cardenas  
March 19, 2018 2: Send to vendor  
March 30, 2018 3: Vendo fix  
April 16, 2018 4: Sent to lists  
  
XII. LEGAL NOTICES  
-------------------------  
The information contained within this advisory is supplied "as-is" with no  
warranties or guarantees of fitness of use or otherwise.  
  
XIII. ABOUT  
-------------------------  
Manuel Garcia Cardenas  
Pentester  
  
  
`

Related

ubuntucve 1
debiancve 1
alpinelinux 1
cvelist 1
zdt 1
exploitpack 1
prion 1
nvd 1
cve 1
exploitdb 1
ubuntucve
ubuntucve
CVE-2018-8831
2018-04-18 00:00:00
debiancve
debiancve
CVE-2018-8831
2018-04-18 17:29:00
alpinelinux
alpinelinux
CVE-2018-8831
2018-04-18 17:29:00
cvelist
cvelist
CVE-2018-8831
2018-04-18 17:00:00
zdt
zdt
Kodi 17.6 - Persistent Cross-Site Scripting Vulnerability
2018-04-18 00:00:00
exploitpack
exploitpack
Kodi 17.6 - Persistent Cross-Site Scripting
2018-04-18 00:00:00
prion
prion
Cross site scripting
2018-04-18 17:29:00
nvd
nvd
CVE-2018-8831
2018-04-18 17:29:00
cve
cve
CVE-2018-8831
2018-04-18 17:29:00
exploitdb
exploitdb
Kodi 17.6 - Persistent Cross-Site Scripting
2018-04-18 00:00:00

0.897 High

EPSS

Percentile

98.8%

JSON
Related for PACKETSTORM:147240
ubuntucve1debiancve1alpinelinux1cvelist1zdt1exploitpack1prion1nvd1cve1exploitdb1