CVE-2013-2023
published 2013-08-15CVE-2013-2023: Cross-site scripting (XSS) vulnerability in actionscript/Jplayer.as in the Flash SWF component (jplayer.swf) in jPlayer before 2.3.1 allows remote attackers to…
PriorityP420medium4.3CVSS 2.0
AVNACMAuNCNIPAN
EPSS
2.46%
82.4th percentile
Cross-site scripting (XSS) vulnerability in actionscript/Jplayer.as in the Flash SWF component (jplayer.swf) in jPlayer before 2.3.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, possibly related to incomplete blacklists, a different vulnerability than CVE-2013-1942 and CVE-2013-2022.
Affected
137 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| happyworm | jplayer | <= 2.2.19 | — |
| happyworm | jplayer | <= 2.2.22 | — |
| happyworm | jplayer | <= 2.3.0 | — |
| happyworm | jplayer | — | — |
| happyworm | jplayer | — | — |
| happyworm | jplayer | — | — |
| happyworm | jplayer | — | — |
| happyworm | jplayer | — | — |
| happyworm | jplayer | — | — |
| happyworm | jplayer | — | — |
| happyworm | jplayer | — | — |
| happyworm | jplayer | — | — |
| happyworm | jplayer | — | — |
| happyworm | jplayer | — | — |
| happyworm | jplayer | — | — |
| happyworm | jplayer | — | — |
| happyworm | jplayer | — | — |
| happyworm | jplayer | — | — |
| happyworm | jplayer | — | — |
| happyworm | jplayer | — | — |
| happyworm | jplayer | — | — |
| happyworm | jplayer | — | — |
| happyworm | jplayer | — | — |
| happyworm | jplayer | — | — |
| happyworm | jplayer | — | — |
CVSS provenance
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
ghsa4.3MEDIUM
osv4.3MEDIUM
cisa8.8HIGH
vendor_msrc9.8CRITICAL
vendor_redhat5.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-cg3q-wfc7-4hp7: Multiple cross-site scripting (XSS) vulnerabilities in actionscript/Jplayer
ghsa_unreviewed·2022-05-17·CVSS 4.3
CVE-2013-1942 [MEDIUM] CWE-79 GHSA-cg3q-wfc7-4hp7: Multiple cross-site scripting (XSS) vulnerabilities in actionscript/Jplayer
Multiple cross-site scripting (XSS) vulnerabilities in actionscript/Jplayer.as in the Flash SWF component (jplayer.swf) in jPlayer before 2.2.20, as used in ownCloud Server before 5.0.4 and other products, allow remote attackers to inject arbitrary web script or HTML via the (1) jQuery or (2) id parameters, as demonstrated using document.write in the jQuery parameter, a different vulnerability than CVE-2013-2022 and CVE-2013-2023.
GHSA
jplayer Cross Site Scripting vulnerability
ghsa·2022-05-17·CVSS 4.3
CVE-2013-2022 [MEDIUM] CWE-79 jplayer Cross Site Scripting vulnerability
jplayer Cross Site Scripting vulnerability
Multiple cross-site scripting (XSS) vulnerabilities in actionscript/Jplayer.as in the Flash SWF component (jplayer.swf) in jPlayer before 2.3.0 allow remote attackers to inject arbitrary web script or HTML via the (1) jQuery or (2) id parameters, a different vulnerability than CVE-2013-1942 and CVE-2013-2023, as demonstrated by using the alert function in the jQuery parameter. NOTE: these are the same parameters as CVE-2013-1942, but the fix for CVE-2013-1942 uses a blacklist for the jQuery parameter.
OSV
jplayer Cross Site Scripting vulnerability
osv·2022-05-17·CVSS 4.3
CVE-2013-2022 [MEDIUM] jplayer Cross Site Scripting vulnerability
jplayer Cross Site Scripting vulnerability
Multiple cross-site scripting (XSS) vulnerabilities in actionscript/Jplayer.as in the Flash SWF component (jplayer.swf) in jPlayer before 2.3.0 allow remote attackers to inject arbitrary web script or HTML via the (1) jQuery or (2) id parameters, a different vulnerability than CVE-2013-1942 and CVE-2013-2023, as demonstrated by using the alert function in the jQuery parameter. NOTE: these are the same parameters as CVE-2013-1942, but the fix for CVE-2013-1942 uses a blacklist for the jQuery parameter.
GHSA
GHSA-g3mw-cwj5-rvgj: Cross-site scripting (XSS) vulnerability in actionscript/Jplayer
ghsa_unreviewed·2022-05-17·CVSS 4.3
CVE-2013-2023 [MEDIUM] CWE-79 GHSA-g3mw-cwj5-rvgj: Cross-site scripting (XSS) vulnerability in actionscript/Jplayer
Cross-site scripting (XSS) vulnerability in actionscript/Jplayer.as in the Flash SWF component (jplayer.swf) in jPlayer before 2.3.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, possibly related to incomplete blacklists, a different vulnerability than CVE-2013-1942 and CVE-2013-2022.
OSV
CVE-2013-2022: Multiple cross-site scripting (XSS) vulnerabilities in actionscript/Jplayer
osv·2013-08-17·CVSS 4.3
CVE-2013-2022 [MEDIUM] CVE-2013-2022: Multiple cross-site scripting (XSS) vulnerabilities in actionscript/Jplayer
Multiple cross-site scripting (XSS) vulnerabilities in actionscript/Jplayer.as in the Flash SWF component (jplayer.swf) in jPlayer before 2.2.23 allow remote attackers to inject arbitrary web script or HTML via the (1) jQuery or (2) id parameters, a different vulnerability than CVE-2013-1942 and CVE-2013-2023, as demonstrated by using the alert function in the jQuery parameter. NOTE: these are the same parameters as CVE-2013-1942, but the fix for CVE-2013-1942 uses a blacklist for the jQuery parameter.
OSV
CVE-2013-2023: Cross-site scripting (XSS) vulnerability in actionscript/Jplayer
osv·2013-08-15·CVSS 4.3
CVE-2013-2023 [MEDIUM] CVE-2013-2023: Cross-site scripting (XSS) vulnerability in actionscript/Jplayer
Cross-site scripting (XSS) vulnerability in actionscript/Jplayer.as in the Flash SWF component (jplayer.swf) in jPlayer before 2.3.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, possibly related to incomplete blacklists, a different vulnerability than CVE-2013-1942 and CVE-2013-2022.
OSV
CVE-2013-1942: Multiple cross-site scripting (XSS) vulnerabilities in actionscript/Jplayer
osv·2013-08-15·CVSS 4.3
CVE-2013-1942 [MEDIUM] CVE-2013-1942: Multiple cross-site scripting (XSS) vulnerabilities in actionscript/Jplayer
Multiple cross-site scripting (XSS) vulnerabilities in actionscript/Jplayer.as in the Flash SWF component (jplayer.swf) in jPlayer before 2.2.20, as used in ownCloud Server before 5.0.4 and other products, allow remote attackers to inject arbitrary web script or HTML via the (1) jQuery or (2) id parameters, as demonstrated using document.write in the jQuery parameter, a different vulnerability than CVE-2013-2022 and CVE-2013-2023.
Red Hat
kernel: i40e: Fix kernel crash during reboot when adapter is in recovery mode
vendor_redhat·2025-05-02·CVSS 5.5
CVE-2023-53114 [MEDIUM] CWE-476 kernel: i40e: Fix kernel crash during reboot when adapter is in recovery mode
kernel: i40e: Fix kernel crash during reboot when adapter is in recovery mode
In the Linux kernel, the following vulnerability has been resolved:
i40e: Fix kernel crash during reboot when adapter is in recovery mode
If the driver detects during probe that firmware is in recovery
mode then i40e_init_recovery_mode() is called and the rest of
probe function is skipped including pci_set_drvdata(). Subsequent
i40e_shutdown() called during shutdown/reboot dereferences NULL
pointer as pci_get_drvdata() returns NULL.
To fix call pci_set_drvdata() also during entering to recovery mode.
Reproducer:
1) Lets have i40e NIC with firmware in recovery mode
2) Run reboot
Result:
[ 139.084698] i40e: Intel(R) Ethernet Connection XL710 Network Driver
[ 139.090959] i40e: Copyright (c) 2013 - 2019 Intel Corpor
Microsoft
Microsoft SharePoint Server Spoofing Vulnerability
vendor_msrc·2023-04-11·CVSS 8.1
CVE-2023-28288 [HIGH] CWE-918 Microsoft SharePoint Server Spoofing Vulnerability
Microsoft SharePoint Server Spoofing Vulnerability
FAQ: I am running SharePoint Enterprise Server 2013 Service Pack 1. Do I need to install both updates that are listed for SharePoint Enterprise Server 2013 Service Pack 1?
No. The Cumulative update for SharePoint Server 2013 includes the update for Foundation Server 2013. Customers running SharePoint Server 2013 Service Pack 1 can install the cumulative update or the security update, which is the same update as for Foundation Server 2013.
Please note that this is a clarification of the existing servicing model for SharePoint Server 2013 and applies for all previous updates.
FAQ: According to the CVSS metric, privileges required is low (PR:L). What does that mean for this vulnerability?
The attacker must be authenticated and possess the p
CISA
Microsoft Internet Explorer Memory Corruption Vulnerability
cisa·2023-03-30·CVSS 8.8
CVE-2013-3163 [HIGH] CWE-94 Microsoft Internet Explorer Memory Corruption Vulnerability
Vulnerability: Microsoft Internet Explorer Memory Corruption Vulnerability
Affected: Microsoft Internet Explorer
Microsoft Internet Explorer contains a memory corruption vulnerability that allows remote attackers to execute code or cause a denial of service via a crafted website.
Required Action: The impacted product is end-of-life and should be disconnected if still in use.
Notes: https://learn.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-055; https://nvd.nist.gov/vuln/detail/CVE-2013-3163
Remediation Due Date: 2023-04-20
Microsoft
Microsoft Word Remote Code Execution Vulnerability
vendor_msrc·2023-02-14·CVSS 9.8
CVE-2023-21716 [CRITICAL] CWE-190 Microsoft Word Remote Code Execution Vulnerability
Microsoft Word Remote Code Execution Vulnerability
FAQ: What is the attack vector for this vulnerability?
An unauthenticated attacker could send a malicious e-mail containing an RTF payload that would allow them to gain access to execute commands within the application used to open the malicious file.
FAQ: Is the Preview Pane an attack vector for this vulnerability?
Yes, the Preview Pane is an attack vector.
FAQ: I am running SharePoint Enterprise Server 2013 Service Pack 1. Do I need to install all the updates that are listed for SharePoint Enterprise Server 2013 Service Pack 1?
No. Customers running SharePoint Enterprise Server 2013 Service Pack 1 should install either of the following:
Cumulative update (ubersrv13). Note that this update also includes the *srvloc2013 update
Both of
Microsoft
Microsoft SharePoint Server Elevation of Privilege Vulnerability
vendor_msrc·2023-02-14·CVSS 8.8
CVE-2023-21717 [HIGH] CWE-284 Microsoft SharePoint Server Elevation of Privilege Vulnerability
Microsoft SharePoint Server Elevation of Privilege Vulnerability
FAQ: According to the CVSS metric, privileges required is low (PR:L). What does that mean for this vulnerability?
The attacker must be authenticated to the target site, with the permission to use Manage Lists within SharePoint.
FAQ: How could an attacker exploit the vulnerability?
In a network-based attack, an authenticated attacker with Manage List permissions could execute code remotely on the SharePoint Server.
FAQ: I am running SharePoint Enterprise Server 2013 Service Pack 1. Do I need to install all the updates that are listed for SharePoint Enterprise Server 2013 Service Pack 1?
No. Customers running SharePoint Enterprise Server 2013 Service Pack 1 should install either of the following:
Cumulative update (ubersrv1
Microsoft
Microsoft SharePoint Server Remote Code Execution Vulnerability
vendor_msrc·2023-01-10·CVSS 8.8
CVE-2023-21742 [HIGH] CWE-284 Microsoft SharePoint Server Remote Code Execution Vulnerability
Microsoft SharePoint Server Remote Code Execution Vulnerability
FAQ: According to the CVSS metric, privileges required is low (PR:L). What does that mean for this vulnerability?
The attacker must be authenticated to the target site as at least a Site Member.
FAQ: How could an attacker exploit the vulnerability?
In a network-based attack, an authenticated attacker, who has a minimum of Site Member permissions (PR:L), could execute code remotely on the SharePoint Server.
FAQ: I am running SharePoint Enterprise Server 2013 Service Pack 1. Do I need to install both updates that are listed for SharePoint Enterprise Server 2013 Service Pack 1?
No. The Cumulative update for SharePoint Server 2013 includes the update for Foundation Server 2013. Customers running SharePoint Server 2013 Service P
Suricata
ET INFO UPnP Discovery Search Response - CVE-2012-5958 and CVE-2012-5959 Vulnerable UPnP device M2
suricata·2013-01-30·CVSS 10.0
CVE-2012-5958 [CRITICAL] ET INFO UPnP Discovery Search Response - CVE-2012-5958 and CVE-2012-5959 Vulnerable UPnP device M2
ET INFO UPnP Discovery Search Response - CVE-2012-5958 and CVE-2012-5959 Vulnerable UPnP device M2
Rule: alert udp $HOME_NET 1900 -> any any (msg:"ET INFO UPnP Discovery Search Response - CVE-2012-5958 and CVE-2012-5959 Vulnerable UPnP device M2"; content:"Intel SDK for UPnP devices"; pcre:"/^Server\x3a[^\r\n]*Intel SDK for UPnP devices/mi"; reference:url,community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play; reference:url,upnp.org/specs/arch/UPnP-arch-DeviceArchitecture-v1.1.pdf; reference:cve,2012-5958; reference:cve,2012-5959; classtype:bad-unknown; sid:2016303; rev:5; metadata:created_at 2013_01_30, cve CVE_2012_5958, deployment Perimeter, confidence High, signature_severity Minor, updated_at 2023_05_02; target:src_ip;)
No public exploits indexed.
Bugzilla
CVE-2013-1942 CVE-2013-2022 CVE-2013-2023 owncloud: multiple XSS flaws in included Jplayer.as
bugzilla·2013-08-22·CVSS 4.3
CVE-2013-1942 [MEDIUM] CVE-2013-1942 CVE-2013-2022 CVE-2013-2023 owncloud: multiple XSS flaws in included Jplayer.as
CVE-2013-1942 CVE-2013-2022 CVE-2013-2023 owncloud: multiple XSS flaws in included Jplayer.as
The following vulnerabilities were reported and fixed in Jplayer 2.3.0, which is included in owncloud and wt (however the affected Jplayer.as is only found in the owncloud package):
Common Vulnerabilities and Exposures assigned an identifier CVE-2013-1942 to
the following vulnerability:
Name: CVE-2013-1942
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1942
Assigned: 20130219
Reference: http://marc.info/?l=oss-security&m=136570964825921&w=2
Reference: http://marc.info/?l=oss-security&m=136726705917858&w=2
Reference: http://marc.info/?l=oss-security&m=136773622321563&w=2
Reference: http://www.jplayer.org/2.3.0/release-notes/
Reference: https://github.com/happyworm/jPlayer/commit/e8
Bugzilla
CVE-2013-1942 CVE-2013-2023 CVE-2013-2022 owncloud: multiple XSS flaws in included Jplayer.as [fedora-all]
bugzilla·2013-08-22·CVSS 4.3
CVE-2013-1942 [MEDIUM] CVE-2013-1942 CVE-2013-2023 CVE-2013-2022 owncloud: multiple XSS flaws in included Jplayer.as [fedora-all]
CVE-2013-1942 CVE-2013-2023 CVE-2013-2022 owncloud: multiple XSS flaws in included Jplayer.as [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
http://marc.info/?l=oss-security&m=136570964825921&w=2http://marc.info/?l=oss-security&m=136726705917858&w=2http://marc.info/?l=oss-security&m=136773622321563&w=2http://seclists.org/fulldisclosure/2013/Apr/192http://www.jplayer.org/latest/release-notes/http://www.openwall.com/lists/oss-security/2013/06/27/7http://www.openwall.com/lists/oss-security/2013/07/04/5https://github.com/happyworm/jPlayer/commit/8ccc429598d62eebe9f65a0a4e6fd406a123c8b4https://github.com/happyworm/jPlayer/commit/c2417972af1295be8dcc07470b0e3d25b0a77e0bhttps://github.com/happyworm/jPlayer/issues/162http://marc.info/?l=oss-security&m=136570964825921&w=2http://marc.info/?l=oss-security&m=136726705917858&w=2http://marc.info/?l=oss-security&m=136773622321563&w=2http://seclists.org/fulldisclosure/2013/Apr/192http://www.jplayer.org/latest/release-notes/http://www.openwall.com/lists/oss-security/2013/06/27/7http://www.openwall.com/lists/oss-security/2013/07/04/5https://github.com/happyworm/jPlayer/commit/8ccc429598d62eebe9f65a0a4e6fd406a123c8b4https://github.com/happyworm/jPlayer/commit/c2417972af1295be8dcc07470b0e3d25b0a77e0bhttps://github.com/happyworm/jPlayer/issues/162
2013-08-15
Published