cbcvebase.
CVE-2018-8831
published 2018-04-18

CVE-2018-8831: A Persistent XSS vulnerability exists in Kodi (formerly XBMC) through 17.6 that allows the execution of arbitrary HTML/script code in the context of the victim…

PriorityP352medium6.1CVSS 3.0
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
53.88%
98.9th percentile
A Persistent XSS vulnerability exists in Kodi (formerly XBMC) through 17.6 that allows the execution of arbitrary HTML/script code in the context of the victim user's browser via a playlist.

Affected

2 ranges
VendorProductVersion rangeFixed in
debiankodi
kodikodi<= 17.6

Detection & IOCsextracted from sources · hover to see the quote

  • The attack vector is a maliciously crafted playlist file injected with JavaScript/HTML code; inspect playlist files (e.g., .m3u, .pls, .xspf) ingested by Kodi for embedded script tags or JavaScript URIs.
  • The XSS payload executes in the victim's browser context when the playlist is rendered; monitor Kodi's web interface HTTP responses for reflected/stored script content originating from playlist data.
  • Affected versions are Kodi 17.6 and below; flag any Kodi instance running version <= 17.6 as vulnerable to this persistent XSS via playlist.
  • ·The vulnerability is exploitable via the playlist feature specifically; the fix was tracked upstream at the referenced ticket — ensure patched builds are deployed.
  • ·Scope is listed as local, meaning the attacker likely needs the ability to supply or modify a playlist accessible to the victim's Kodi instance.

CVSS provenance

nvdv3.06.1MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
osv6.1MEDIUM
vendor_debian6.1LOW
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.