CVE-2013-2022
published 2013-08-17CVE-2013-2022: Multiple cross-site scripting (XSS) vulnerabilities in actionscript/Jplayer.as in the Flash SWF component (jplayer.swf) in jPlayer before 2.2.23 allow remote…
PriorityP421medium4.3CVSS 2.0
AVNACMAuNCNIPAN
EPSS
2.72%
84.2th percentile
Multiple cross-site scripting (XSS) vulnerabilities in actionscript/Jplayer.as in the Flash SWF component (jplayer.swf) in jPlayer before 2.2.23 allow remote attackers to inject arbitrary web script or HTML via the (1) jQuery or (2) id parameters, a different vulnerability than CVE-2013-1942 and CVE-2013-2023, as demonstrated by using the alert function in the jQuery parameter. NOTE: these are the same parameters as CVE-2013-1942, but the fix for CVE-2013-1942 uses a blacklist for the jQuery parameter.
Affected
129 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| happyworm | jplayer | <= 2.2.19 | — |
| happyworm | jplayer | <= 2.2.22 | — |
| happyworm | jplayer | <= 2.3.0 | — |
| happyworm | jplayer | — | — |
| happyworm | jplayer | — | — |
| happyworm | jplayer | — | — |
| happyworm | jplayer | — | — |
| happyworm | jplayer | — | — |
| happyworm | jplayer | — | — |
| happyworm | jplayer | — | — |
| happyworm | jplayer | — | — |
| happyworm | jplayer | — | — |
| happyworm | jplayer | — | — |
| happyworm | jplayer | — | — |
| happyworm | jplayer | — | — |
| happyworm | jplayer | — | — |
| happyworm | jplayer | — | — |
| happyworm | jplayer | — | — |
| happyworm | jplayer | — | — |
| happyworm | jplayer | — | — |
| happyworm | jplayer | — | — |
| happyworm | jplayer | — | — |
| happyworm | jplayer | — | — |
| happyworm | jplayer | — | — |
| happyworm | jplayer | — | — |
CVSS provenance
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
ghsa4.3MEDIUM
osv4.3MEDIUM
cisa9.8CRITICAL
vendor_msrc8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-cg3q-wfc7-4hp7: Multiple cross-site scripting (XSS) vulnerabilities in actionscript/Jplayer
ghsa_unreviewed·2022-05-17·CVSS 4.3
CVE-2013-1942 [MEDIUM] CWE-79 GHSA-cg3q-wfc7-4hp7: Multiple cross-site scripting (XSS) vulnerabilities in actionscript/Jplayer
Multiple cross-site scripting (XSS) vulnerabilities in actionscript/Jplayer.as in the Flash SWF component (jplayer.swf) in jPlayer before 2.2.20, as used in ownCloud Server before 5.0.4 and other products, allow remote attackers to inject arbitrary web script or HTML via the (1) jQuery or (2) id parameters, as demonstrated using document.write in the jQuery parameter, a different vulnerability than CVE-2013-2022 and CVE-2013-2023.
GHSA
jplayer Cross Site Scripting vulnerability
ghsa·2022-05-17·CVSS 4.3
CVE-2013-2022 [MEDIUM] CWE-79 jplayer Cross Site Scripting vulnerability
jplayer Cross Site Scripting vulnerability
Multiple cross-site scripting (XSS) vulnerabilities in actionscript/Jplayer.as in the Flash SWF component (jplayer.swf) in jPlayer before 2.3.0 allow remote attackers to inject arbitrary web script or HTML via the (1) jQuery or (2) id parameters, a different vulnerability than CVE-2013-1942 and CVE-2013-2023, as demonstrated by using the alert function in the jQuery parameter. NOTE: these are the same parameters as CVE-2013-1942, but the fix for CVE-2013-1942 uses a blacklist for the jQuery parameter.
OSV
jplayer Cross Site Scripting vulnerability
osv·2022-05-17·CVSS 4.3
CVE-2013-2022 [MEDIUM] jplayer Cross Site Scripting vulnerability
jplayer Cross Site Scripting vulnerability
Multiple cross-site scripting (XSS) vulnerabilities in actionscript/Jplayer.as in the Flash SWF component (jplayer.swf) in jPlayer before 2.3.0 allow remote attackers to inject arbitrary web script or HTML via the (1) jQuery or (2) id parameters, a different vulnerability than CVE-2013-1942 and CVE-2013-2023, as demonstrated by using the alert function in the jQuery parameter. NOTE: these are the same parameters as CVE-2013-1942, but the fix for CVE-2013-1942 uses a blacklist for the jQuery parameter.
GHSA
GHSA-g3mw-cwj5-rvgj: Cross-site scripting (XSS) vulnerability in actionscript/Jplayer
ghsa_unreviewed·2022-05-17·CVSS 4.3
CVE-2013-2023 [MEDIUM] CWE-79 GHSA-g3mw-cwj5-rvgj: Cross-site scripting (XSS) vulnerability in actionscript/Jplayer
Cross-site scripting (XSS) vulnerability in actionscript/Jplayer.as in the Flash SWF component (jplayer.swf) in jPlayer before 2.3.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, possibly related to incomplete blacklists, a different vulnerability than CVE-2013-1942 and CVE-2013-2022.
OSV
CVE-2013-2022: Multiple cross-site scripting (XSS) vulnerabilities in actionscript/Jplayer
osv·2013-08-17·CVSS 4.3
CVE-2013-2022 [MEDIUM] CVE-2013-2022: Multiple cross-site scripting (XSS) vulnerabilities in actionscript/Jplayer
Multiple cross-site scripting (XSS) vulnerabilities in actionscript/Jplayer.as in the Flash SWF component (jplayer.swf) in jPlayer before 2.2.23 allow remote attackers to inject arbitrary web script or HTML via the (1) jQuery or (2) id parameters, a different vulnerability than CVE-2013-1942 and CVE-2013-2023, as demonstrated by using the alert function in the jQuery parameter. NOTE: these are the same parameters as CVE-2013-1942, but the fix for CVE-2013-1942 uses a blacklist for the jQuery parameter.
OSV
CVE-2013-2023: Cross-site scripting (XSS) vulnerability in actionscript/Jplayer
osv·2013-08-15·CVSS 4.3
CVE-2013-2023 [MEDIUM] CVE-2013-2023: Cross-site scripting (XSS) vulnerability in actionscript/Jplayer
Cross-site scripting (XSS) vulnerability in actionscript/Jplayer.as in the Flash SWF component (jplayer.swf) in jPlayer before 2.3.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, possibly related to incomplete blacklists, a different vulnerability than CVE-2013-1942 and CVE-2013-2022.
OSV
CVE-2013-1942: Multiple cross-site scripting (XSS) vulnerabilities in actionscript/Jplayer
osv·2013-08-15·CVSS 4.3
CVE-2013-1942 [MEDIUM] CVE-2013-1942: Multiple cross-site scripting (XSS) vulnerabilities in actionscript/Jplayer
Multiple cross-site scripting (XSS) vulnerabilities in actionscript/Jplayer.as in the Flash SWF component (jplayer.swf) in jPlayer before 2.2.20, as used in ownCloud Server before 5.0.4 and other products, allow remote attackers to inject arbitrary web script or HTML via the (1) jQuery or (2) id parameters, as demonstrated using document.write in the jQuery parameter, a different vulnerability than CVE-2013-2022 and CVE-2013-2023.
Microsoft
Microsoft SharePoint Server Remote Code Execution Vulnerability
vendor_msrc·2022-10-11·CVSS 8.8
CVE-2022-38053 [HIGH] Microsoft SharePoint Server Remote Code Execution Vulnerability
Microsoft SharePoint Server Remote Code Execution Vulnerability
FAQ: How could an attacker exploit the vulnerability?
In a network-based attack, an authenticated attacker with Manage List permissions could execute code remotely on the SharePoint Server.
FAQ: According to the CVSS metric, privileges required is low (PR:L). What does that mean for this vulnerability?
The attacker must be authenticated to the target site, with the permission to use Manage Lists within SharePoint.
FAQ: I am running SharePoint Enterprise Server 2013 Service Pack 1. Do I need to install both updates that are listed for SharePoint Enterprise Server 2013 Service Pack 1?
No. The Cumulative update for SharePoint Server 2013 includes the update for Foundation Server 2013. Customers running SharePoint Server 2013 S
CISA
Linux Kernel Improper Input Validation Vulnerability
cisa·2022-09-15·CVSS 8.8
CVE-2013-6282 [HIGH] CWE-20 Linux Kernel Improper Input Validation Vulnerability
Vulnerability: Linux Kernel Improper Input Validation Vulnerability
Affected: Linux Kernel
The get_user and put_user API functions of the Linux kernel fail to validate the target address when being used on ARM v6k/v7 platforms. This allows an application to read and write kernel memory which could lead to privilege escalation.
Required Action: Apply updates per vendor instructions.
Notes: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8404663f81d212918ff85f493649a7991209fa04; https://nvd.nist.gov/vuln/detail/CVE-2013-6282
Remediation Due Date: 2022-10-06
Microsoft
Microsoft SharePoint Server Remote Code Execution Vulnerability
vendor_msrc·2022-09-13·CVSS 8.8
CVE-2022-38009 [HIGH] Microsoft SharePoint Server Remote Code Execution Vulnerability
Microsoft SharePoint Server Remote Code Execution Vulnerability
FAQ: According to the CVSS metric, privileges required is low (PR:L). What does that mean for this vulnerability?
The attacker must be authenticated to the target site, with the permission to use Manage Lists within SharePoint.
FAQ: How could an attacker exploit the vulnerability?
In a network-based attack, an authenticated attacker with Manage List permissions could execute code remotely on the SharePoint Server.
FAQ: I am running SharePoint Enterprise Server 2013 Service Pack 1. Do I need to install both updates that are listed for SharePoint Enterprise Server 2013 Service Pack 1?
No. The Cumulative update for SharePoint Server 2013 includes the update for Foundation Server 2013. Customers running SharePoint Server 2013 S
Microsoft
Microsoft SharePoint Server Remote Code Execution Vulnerability
vendor_msrc·2022-06-14·CVSS 8.8
CVE-2022-30158 [HIGH] Microsoft SharePoint Server Remote Code Execution Vulnerability
Microsoft SharePoint Server Remote Code Execution Vulnerability
FAQ: According to the CVSS metric, privileges required is low (PR:L). What does that mean for this vulnerability?
The attacker must be authenticated and possess the permissions for page creation to be able to exploit this vulnerability.
FAQ: I am running SharePoint Enterprise Server 2013 Service Pack 1. Do I need to install both updates that are listed for SharePoint Enterprise Server 2013 Service Pack 1?
No. The Cumulative update for SharePoint Server 2013 includes the update for Foundation Server 2013. Customers running SharePoint Server 2013 Service Pack 1 can install the cumulative update or the security update, which is the same update as for Foundation Server 2013.
Please note that this is a clarification of the existi
CISA
Microsoft Silverlight Double Dereference Vulnerability
cisa·2022-05-25·CVSS 7.8
CVE-2013-0074 [HIGH] Microsoft Silverlight Double Dereference Vulnerability
Vulnerability: Microsoft Silverlight Double Dereference Vulnerability
Affected: Microsoft Silverlight
Microsoft Silverlight does not properly validate pointers during HTML object rendering, which allows remote attackers to execute code via a crafted Silverlight application.
Required Action: The impacted product is end-of-life and should be disconnected if still in use.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2013-0074
Remediation Due Date: 2022-06-15
CISA
Oracle JRE Remote Code Execution Vulnerability
cisa·2022-05-25·CVSS 9.8
CVE-2013-0422 [CRITICAL] CWE-264 Oracle JRE Remote Code Execution Vulnerability
Vulnerability: Oracle JRE Remote Code Execution Vulnerability
Affected: Oracle Java Runtime Environment (JRE)
A vulnerability in the way Java restricts the permissions of Java applets could allow an attacker to execute commands on a vulnerable system.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2013-0422
Remediation Due Date: 2022-06-15
CISA
Microsoft Internet Explorer Information Disclosure Vulnerability
cisa·2022-05-25·CVSS 6.5
CVE-2013-7331 [MEDIUM] CWE-200 Microsoft Internet Explorer Information Disclosure Vulnerability
Vulnerability: Microsoft Internet Explorer Information Disclosure Vulnerability
Affected: Microsoft Internet Explorer
An information disclosure vulnerability exists in Internet Explorer which allows resources loaded into memory to be queried. This vulnerability could allow an attacker to detect anti-malware applications.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2013-7331
Remediation Due Date: 2022-06-15
CISA
Adobe Reader and Acrobat Arbitrary Integer Overflow Vulnerability
cisa·2022-03-28·CVSS 9.8
CVE-2013-2729 [CRITICAL] CWE-189 Adobe Reader and Acrobat Arbitrary Integer Overflow Vulnerability
Vulnerability: Adobe Reader and Acrobat Arbitrary Integer Overflow Vulnerability
Affected: Adobe Reader and Acrobat
Integer overflow vulnerability in Adobe Reader and Acrobat allows attackers to execute remote code.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2013-2729
Remediation Due Date: 2022-04-18
CISA
Oracle Java SE Unspecified Vulnerability
cisa·2022-03-28·CVSS 9.8
CVE-2013-2465 [CRITICAL] Oracle Java SE Unspecified Vulnerability
Vulnerability: Oracle Java SE Unspecified Vulnerability
Affected: Oracle Java SE
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE allows remote attackers to affect confidentiality, integrity, and availability via Unknown vectors related to 2D
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2013-2465
Remediation Due Date: 2022-04-18
CISA
Microsoft Win32k Privilege Escalation Vulnerability
cisa·2022-03-28·CVSS 7.8
CVE-2013-3660 [HIGH] CWE-119 Microsoft Win32k Privilege Escalation Vulnerability
Vulnerability: Microsoft Win32k Privilege Escalation Vulnerability
Affected: Microsoft Win32k
The EPATHOBJ::pprFlattenRec function in win32k.sys in the kernel-mode drivers in Microsoft does not properly initialize a pointer for the next object in a certain list, which allows local users to gain privileges.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2013-3660
Remediation Due Date: 2022-04-18
CISA
Adobe Reader and Acrobat Memory Corruption Vulnerability
cisa·2022-03-03·CVSS 7.8
CVE-2013-0640 [HIGH] CWE-787 Adobe Reader and Acrobat Memory Corruption Vulnerability
Vulnerability: Adobe Reader and Acrobat Memory Corruption Vulnerability
Affected: Adobe Reader and Acrobat
An memory corruption vulnerability exists in the acroform.dll in Adobe Reader that allows an attacker to perform remote code execution.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2013-0640
Remediation Due Date: 2022-03-24
CISA
Adobe Reader Buffer Overflow Vulnerability
cisa·2022-03-03·CVSS 7.8
CVE-2013-0641 [HIGH] CWE-120 Adobe Reader Buffer Overflow Vulnerability
Vulnerability: Adobe Reader Buffer Overflow Vulnerability
Affected: Adobe Reader
A buffer overflow vulnerability exists in Adobe Reader which allows an attacker to perform remote code execution.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2013-0641
Remediation Due Date: 2022-03-24
CISA
Microsoft Internet Explorer Remote Code Execution Vulnerability
cisa·2022-03-03·CVSS 8.8
CVE-2013-1347 [HIGH] CWE-94 Microsoft Internet Explorer Remote Code Execution Vulnerability
Vulnerability: Microsoft Internet Explorer Remote Code Execution Vulnerability
Affected: Microsoft Internet Explorer
This vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2013-1347
Remediation Due Date: 2022-03-24
CISA
Microsoft Graphics Component Memory Corruption Vulnerability
cisa·2022-02-15·CVSS 7.8
CVE-2013-3906 [HIGH] CWE-94 Microsoft Graphics Component Memory Corruption Vulnerability
Vulnerability: Microsoft Graphics Component Memory Corruption Vulnerability
Affected: Microsoft Graphics Component
Microsoft Graphics Component contains a memory corruption vulnerability which can allow for remote code execution.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2013-3906
Remediation Due Date: 2022-08-15
CISA
Microsoft WinVerifyTrust function Remote Code Execution
cisa·2022-01-10·CVSS 8.8
CVE-2013-3900 [MEDIUM] CWE-20 Microsoft WinVerifyTrust function Remote Code Execution
Vulnerability: Microsoft WinVerifyTrust function Remote Code Execution
Affected: Microsoft WinVerifyTrust function
A remote code execution vulnerability exists in the way that the WinVerifyTrust function handles Windows Authenticode signature verification for PE files.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2013-3900
Remediation Due Date: 2022-07-10
Suricata
ET EXPLOIT D-Link Related Command Injection Attempt Inbound (CVE-2013-7471)
suricata·2022-11-23·CVSS 9.8
CVE-2013-7471 [CRITICAL] ET EXPLOIT D-Link Related Command Injection Attempt Inbound (CVE-2013-7471)
ET EXPLOIT D-Link Related Command Injection Attempt Inbound (CVE-2013-7471)
Rule: alert http any any -> $HOME_NET any (msg:"ET EXPLOIT D-Link Related Command Injection Attempt Inbound (CVE-2013-7471)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:28; content:"/soap.cgi?service=WANIPConn1"; fast_pattern; http.request_body; content:"|60|"; content:"|60|"; distance:0; reference:cve,2013-7471; reference:url,nvd.nist.gov/vuln/detail/cve-2013-7471; classtype:attempted-admin; sid:2039833; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_11_23, cve CVE_2013_7471, deployment Perimeter, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_27, r
No public exploits indexed.
Bugzilla
CVE-2013-1942 CVE-2013-2022 CVE-2013-2023 owncloud: multiple XSS flaws in included Jplayer.as
bugzilla·2013-08-22·CVSS 4.3
CVE-2013-1942 [MEDIUM] CVE-2013-1942 CVE-2013-2022 CVE-2013-2023 owncloud: multiple XSS flaws in included Jplayer.as
CVE-2013-1942 CVE-2013-2022 CVE-2013-2023 owncloud: multiple XSS flaws in included Jplayer.as
The following vulnerabilities were reported and fixed in Jplayer 2.3.0, which is included in owncloud and wt (however the affected Jplayer.as is only found in the owncloud package):
Common Vulnerabilities and Exposures assigned an identifier CVE-2013-1942 to
the following vulnerability:
Name: CVE-2013-1942
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1942
Assigned: 20130219
Reference: http://marc.info/?l=oss-security&m=136570964825921&w=2
Reference: http://marc.info/?l=oss-security&m=136726705917858&w=2
Reference: http://marc.info/?l=oss-security&m=136773622321563&w=2
Reference: http://www.jplayer.org/2.3.0/release-notes/
Reference: https://github.com/happyworm/jPlayer/commit/e8
Bugzilla
CVE-2013-1942 CVE-2013-2023 CVE-2013-2022 owncloud: multiple XSS flaws in included Jplayer.as [fedora-all]
bugzilla·2013-08-22·CVSS 4.3
CVE-2013-1942 [MEDIUM] CVE-2013-1942 CVE-2013-2023 CVE-2013-2022 owncloud: multiple XSS flaws in included Jplayer.as [fedora-all]
CVE-2013-1942 CVE-2013-2023 CVE-2013-2022 owncloud: multiple XSS flaws in included Jplayer.as [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
http://marc.info/?l=oss-security&m=136570964825921&w=2http://marc.info/?l=oss-security&m=136726705917858&w=2http://marc.info/?l=oss-security&m=136773622321563&w=2http://seclists.org/fulldisclosure/2013/Apr/192http://www.jplayer.org/2.3.0/release-notes/http://www.openwall.com/lists/oss-security/2013/06/27/7http://www.openwall.com/lists/oss-security/2013/07/04/5https://github.com/happyworm/jPlayer/commit/c5fe17bb4459164bd59153b57248cf94b8867373http://marc.info/?l=oss-security&m=136570964825921&w=2http://marc.info/?l=oss-security&m=136726705917858&w=2http://marc.info/?l=oss-security&m=136773622321563&w=2http://seclists.org/fulldisclosure/2013/Apr/192http://www.jplayer.org/2.3.0/release-notes/http://www.openwall.com/lists/oss-security/2013/06/27/7http://www.openwall.com/lists/oss-security/2013/07/04/5https://github.com/happyworm/jPlayer/commit/c5fe17bb4459164bd59153b57248cf94b8867373
2013-08-17
Published