CVE-2013-2022Cross-site Scripting in Jplayer

CWE-79Cross-site ScriptingCWE-20Improper Input ValidationCWE-189CWE-787Out-of-bounds WriteCWE-94Code InjectionCWE-120Classic Buffer OverflowCWE-119Improper Restriction of Operations within the Bounds of a Memory BufferCWE-264CWE-200Sensitive Information Exposure43 documents11 sources
Severity
4.3MEDIUMNVD
CISA9.8CISA8.8CISA7.8CISA7.5CISA6.5
EPSS
0.6%
top 29.68%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Happyworm JplayerOwncloudOwncloud Server
Timeline
PublishedAug 17
Latest updateOct 11

Description

Multiple cross-site scripting (XSS) vulnerabilities in actionscript/Jplayer.as in the Flash SWF component (jplayer.swf) in jPlayer before 2.2.23 allow remote attackers to inject arbitrary web script or HTML via the (1) jQuery or (2) id parameters, a different vulnerability than CVE-2013-1942 and CVE-2013-2023, as demonstrated by using the alert function in the jQuery parameter. NOTE: these are the same parameters as CVE-2013-1942, but the fix for CVE-2013-1942 uses a blacklist for the jQuery par

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages4 packages

npmhappyworm/jplayer< 2.3.0
NVDhappyworm/jplayer2.2.19+81
NVDowncloud/owncloud_server38 versions+37

🔴Vulnerability Details

10
GHSA
GHSA-cg3q-wfc7-4hp7: Multiple cross-site scripting (XSS) vulnerabilities in actionscript/Jplayer2022-05-17
GHSA
jplayer Cross Site Scripting vulnerability2022-05-17
OSV
jplayer Cross Site Scripting vulnerability2022-05-17
GHSA
GHSA-g3mw-cwj5-rvgj: Cross-site scripting (XSS) vulnerability in actionscript/Jplayer2022-05-17
OSV
CVE-2013-2022: Multiple cross-site scripting (XSS) vulnerabilities in actionscript/Jplayer2013-08-17

📋Vendor Advisories

18
Microsoft
Microsoft SharePoint Server Remote Code Execution Vulnerability2022-10-11
CISA
Linux Kernel Improper Input Validation Vulnerability2022-09-15
CISA
Linux Kernel Integer Overflow Vulnerability2022-09-15
Microsoft
Microsoft SharePoint Server Remote Code Execution Vulnerability2022-09-13
Microsoft
Microsoft SharePoint Server Remote Code Execution Vulnerability2022-06-14

💬Community

2
Bugzilla
CVE-2013-1942 CVE-2013-2022 CVE-2013-2023 owncloud: multiple XSS flaws in included Jplayer.as2013-08-22
Bugzilla
CVE-2013-1942 CVE-2013-2023 CVE-2013-2022 owncloud: multiple XSS flaws in included Jplayer.as [fedora-all]2013-08-22
CVE-2013-2022 — Cross-site Scripting in Jplayer | cvebase