CVE-2013-3565 — Cross-site Scripting in VLC Media Player

CWE-79 — Cross-site Scripting5 documents5 sources

Severity

6.1MEDIUMNVD

EPSS

0.4%

top 39.53%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Videolan VLC Media Player Opensuse

Timeline

PublishedJan 31

Latest updateMay 5

Description

Multiple cross-site scripting (XSS) vulnerabilities in the HTTP Interface in VideoLAN VLC Media Player before 2.0.7 allow remote attackers to inject arbitrary web script or HTML via the (1) command parameter to requests/vlm_cmd.xml, (2) dir parameter to requests/browse.xml, or (3) URI in a request, which is returned in an error message through share/lua/intf/http.lua.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages3 packages

▶NVDvideolan/vlc_media_player< 2.0.7

▶Debianvideolan/vlc_media_player< 2.0.7-1+3

▶NVDopensuse/opensuse13.1

🔴Vulnerability Details

GHSA

GHSA-4php-vvmh-7vx6: Multiple cross-site scripting (XSS) vulnerabilities in the HTTP Interface in VideoLAN VLC Media Player before 2↗2022-05-05

▶

OSV

CVE-2013-3565: Multiple cross-site scripting (XSS) vulnerabilities in the HTTP Interface in VideoLAN VLC Media Player before 2↗2020-01-31

▶

CVEList

CVE-2013-3565: Multiple cross-site scripting (XSS) vulnerabilities in the HTTP Interface in VideoLAN VLC Media Player before 2↗2020-01-31

▶

📋Vendor Advisories

Debian

CVE-2013-3565: vlc - Multiple cross-site scripting (XSS) vulnerabilities in the HTTP Interface in Vid...↗2013

▶