CVE-2013-1942
published 2013-08-15CVE-2013-1942: Multiple cross-site scripting (XSS) vulnerabilities in actionscript/Jplayer.as in the Flash SWF component (jplayer.swf) in jPlayer before 2.2.20, as used in…
PriorityP428medium4.3CVSS 2.0
AVNACMAuNCNIPAN
EXPLOIT
EPSS
5.49%
91.8th percentile
Multiple cross-site scripting (XSS) vulnerabilities in actionscript/Jplayer.as in the Flash SWF component (jplayer.swf) in jPlayer before 2.2.20, as used in ownCloud Server before 5.0.4 and other products, allow remote attackers to inject arbitrary web script or HTML via the (1) jQuery or (2) id parameters, as demonstrated using document.write in the jQuery parameter, a different vulnerability than CVE-2013-2022 and CVE-2013-2023.
Affected
122 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| happyworm | jplayer | <= 2.2.19 | — |
| happyworm | jplayer | <= 2.2.22 | — |
| happyworm | jplayer | <= 2.3.0 | — |
| happyworm | jplayer | — | — |
| happyworm | jplayer | — | — |
| happyworm | jplayer | — | — |
| happyworm | jplayer | — | — |
| happyworm | jplayer | — | — |
| happyworm | jplayer | — | — |
| happyworm | jplayer | — | — |
| happyworm | jplayer | — | — |
| happyworm | jplayer | — | — |
| happyworm | jplayer | — | — |
| happyworm | jplayer | — | — |
| happyworm | jplayer | — | — |
| happyworm | jplayer | — | — |
| happyworm | jplayer | — | — |
| happyworm | jplayer | — | — |
| happyworm | jplayer | — | — |
| happyworm | jplayer | — | — |
| happyworm | jplayer | — | — |
| happyworm | jplayer | — | — |
| happyworm | jplayer | — | — |
| happyworm | jplayer | — | — |
| happyworm | jplayer | — | — |
CVSS provenance
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
ghsa4.3MEDIUM
osv4.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-cg3q-wfc7-4hp7: Multiple cross-site scripting (XSS) vulnerabilities in actionscript/Jplayer
ghsa_unreviewed·2022-05-17·CVSS 4.3
CVE-2013-1942 [MEDIUM] CWE-79 GHSA-cg3q-wfc7-4hp7: Multiple cross-site scripting (XSS) vulnerabilities in actionscript/Jplayer
Multiple cross-site scripting (XSS) vulnerabilities in actionscript/Jplayer.as in the Flash SWF component (jplayer.swf) in jPlayer before 2.2.20, as used in ownCloud Server before 5.0.4 and other products, allow remote attackers to inject arbitrary web script or HTML via the (1) jQuery or (2) id parameters, as demonstrated using document.write in the jQuery parameter, a different vulnerability than CVE-2013-2022 and CVE-2013-2023.
GHSA
jplayer Cross Site Scripting vulnerability
ghsa·2022-05-17·CVSS 4.3
CVE-2013-2022 [MEDIUM] CWE-79 jplayer Cross Site Scripting vulnerability
jplayer Cross Site Scripting vulnerability
Multiple cross-site scripting (XSS) vulnerabilities in actionscript/Jplayer.as in the Flash SWF component (jplayer.swf) in jPlayer before 2.3.0 allow remote attackers to inject arbitrary web script or HTML via the (1) jQuery or (2) id parameters, a different vulnerability than CVE-2013-1942 and CVE-2013-2023, as demonstrated by using the alert function in the jQuery parameter. NOTE: these are the same parameters as CVE-2013-1942, but the fix for CVE-2013-1942 uses a blacklist for the jQuery parameter.
OSV
jplayer Cross Site Scripting vulnerability
osv·2022-05-17·CVSS 4.3
CVE-2013-2022 [MEDIUM] jplayer Cross Site Scripting vulnerability
jplayer Cross Site Scripting vulnerability
Multiple cross-site scripting (XSS) vulnerabilities in actionscript/Jplayer.as in the Flash SWF component (jplayer.swf) in jPlayer before 2.3.0 allow remote attackers to inject arbitrary web script or HTML via the (1) jQuery or (2) id parameters, a different vulnerability than CVE-2013-1942 and CVE-2013-2023, as demonstrated by using the alert function in the jQuery parameter. NOTE: these are the same parameters as CVE-2013-1942, but the fix for CVE-2013-1942 uses a blacklist for the jQuery parameter.
GHSA
GHSA-g3mw-cwj5-rvgj: Cross-site scripting (XSS) vulnerability in actionscript/Jplayer
ghsa_unreviewed·2022-05-17·CVSS 4.3
CVE-2013-2023 [MEDIUM] CWE-79 GHSA-g3mw-cwj5-rvgj: Cross-site scripting (XSS) vulnerability in actionscript/Jplayer
Cross-site scripting (XSS) vulnerability in actionscript/Jplayer.as in the Flash SWF component (jplayer.swf) in jPlayer before 2.3.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, possibly related to incomplete blacklists, a different vulnerability than CVE-2013-1942 and CVE-2013-2022.
OSV
CVE-2013-2022: Multiple cross-site scripting (XSS) vulnerabilities in actionscript/Jplayer
osv·2013-08-17·CVSS 4.3
CVE-2013-2022 [MEDIUM] CVE-2013-2022: Multiple cross-site scripting (XSS) vulnerabilities in actionscript/Jplayer
Multiple cross-site scripting (XSS) vulnerabilities in actionscript/Jplayer.as in the Flash SWF component (jplayer.swf) in jPlayer before 2.2.23 allow remote attackers to inject arbitrary web script or HTML via the (1) jQuery or (2) id parameters, a different vulnerability than CVE-2013-1942 and CVE-2013-2023, as demonstrated by using the alert function in the jQuery parameter. NOTE: these are the same parameters as CVE-2013-1942, but the fix for CVE-2013-1942 uses a blacklist for the jQuery parameter.
OSV
CVE-2013-2023: Cross-site scripting (XSS) vulnerability in actionscript/Jplayer
osv·2013-08-15·CVSS 4.3
CVE-2013-2023 [MEDIUM] CVE-2013-2023: Cross-site scripting (XSS) vulnerability in actionscript/Jplayer
Cross-site scripting (XSS) vulnerability in actionscript/Jplayer.as in the Flash SWF component (jplayer.swf) in jPlayer before 2.3.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, possibly related to incomplete blacklists, a different vulnerability than CVE-2013-1942 and CVE-2013-2022.
OSV
CVE-2013-1942: Multiple cross-site scripting (XSS) vulnerabilities in actionscript/Jplayer
osv·2013-08-15·CVSS 4.3
CVE-2013-1942 [MEDIUM] CVE-2013-1942: Multiple cross-site scripting (XSS) vulnerabilities in actionscript/Jplayer
Multiple cross-site scripting (XSS) vulnerabilities in actionscript/Jplayer.as in the Flash SWF component (jplayer.swf) in jPlayer before 2.2.20, as used in ownCloud Server before 5.0.4 and other products, allow remote attackers to inject arbitrary web script or HTML via the (1) jQuery or (2) id parameters, as demonstrated using document.write in the jQuery parameter, a different vulnerability than CVE-2013-2022 and CVE-2013-2023.
No detection rules found.
Bugzilla
CVE-2013-1942 CVE-2013-2022 CVE-2013-2023 owncloud: multiple XSS flaws in included Jplayer.as
bugzilla·2013-08-22·CVSS 4.3
CVE-2013-1942 [MEDIUM] CVE-2013-1942 CVE-2013-2022 CVE-2013-2023 owncloud: multiple XSS flaws in included Jplayer.as
CVE-2013-1942 CVE-2013-2022 CVE-2013-2023 owncloud: multiple XSS flaws in included Jplayer.as
The following vulnerabilities were reported and fixed in Jplayer 2.3.0, which is included in owncloud and wt (however the affected Jplayer.as is only found in the owncloud package):
Common Vulnerabilities and Exposures assigned an identifier CVE-2013-1942 to
the following vulnerability:
Name: CVE-2013-1942
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1942
Assigned: 20130219
Reference: http://marc.info/?l=oss-security&m=136570964825921&w=2
Reference: http://marc.info/?l=oss-security&m=136726705917858&w=2
Reference: http://marc.info/?l=oss-security&m=136773622321563&w=2
Reference: http://www.jplayer.org/2.3.0/release-notes/
Reference: https://github.com/happyworm/jPlayer/commit/e8
Bugzilla
CVE-2013-1942 CVE-2013-2023 CVE-2013-2022 owncloud: multiple XSS flaws in included Jplayer.as [fedora-all]
bugzilla·2013-08-22·CVSS 4.3
CVE-2013-1942 [MEDIUM] CVE-2013-1942 CVE-2013-2023 CVE-2013-2022 owncloud: multiple XSS flaws in included Jplayer.as [fedora-all]
CVE-2013-1942 CVE-2013-2023 CVE-2013-2022 owncloud: multiple XSS flaws in included Jplayer.as [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
http://marc.info/?l=oss-security&m=136570964825921&w=2http://marc.info/?l=oss-security&m=136726705917858&w=2http://marc.info/?l=oss-security&m=136773622321563&w=2http://owncloud.org/about/security/advisories/oC-SA-2013-014/http://seclists.org/fulldisclosure/2013/Apr/192http://www.jplayer.org/2.3.0/release-notes/http://www.securityfocus.com/bid/59030https://github.com/happyworm/jPlayer/commit/e8ca190f7f972a6a421cb95f09e138720e40ed6dhttp://marc.info/?l=oss-security&m=136570964825921&w=2http://marc.info/?l=oss-security&m=136726705917858&w=2http://marc.info/?l=oss-security&m=136773622321563&w=2http://owncloud.org/about/security/advisories/oC-SA-2013-014/http://seclists.org/fulldisclosure/2013/Apr/192http://www.jplayer.org/2.3.0/release-notes/http://www.securityfocus.com/bid/59030https://github.com/happyworm/jPlayer/commit/e8ca190f7f972a6a421cb95f09e138720e40ed6d
2013-08-15
Published