CVE-2018-8831
published 2018-04-18CVE-2018-8831: A Persistent XSS vulnerability exists in Kodi (formerly XBMC) through 17.6 that allows the execution of arbitrary HTML/script code in the context of the victim…
PriorityP352medium6.1CVSS 3.0
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
53.88%
98.9th percentile
A Persistent XSS vulnerability exists in Kodi (formerly XBMC) through 17.6 that allows the execution of arbitrary HTML/script code in the context of the victim user's browser via a playlist.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | kodi | — | — |
| kodi | kodi | <= 17.6 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →The attack vector is a maliciously crafted playlist file injected with JavaScript/HTML code; inspect playlist files (e.g., .m3u, .pls, .xspf) ingested by Kodi for embedded script tags or JavaScript URIs. ↗
- →The XSS payload executes in the victim's browser context when the playlist is rendered; monitor Kodi's web interface HTTP responses for reflected/stored script content originating from playlist data. ↗
- →Affected versions are Kodi 17.6 and below; flag any Kodi instance running version <= 17.6 as vulnerable to this persistent XSS via playlist. ↗
- ·The vulnerability is exploitable via the playlist feature specifically; the fix was tracked upstream at the referenced ticket — ensure patched builds are deployed. ↗
- ·Scope is listed as local, meaning the attacker likely needs the ability to supply or modify a playlist accessible to the victim's Kodi instance. ↗
CVSS provenance
nvdv3.06.1MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
osv6.1MEDIUM
vendor_debian6.1LOW
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-h8r8-r3f3-wmh3: A Persistent XSS vulnerability exists in Kodi (formerly XBMC) through 17
ghsa_unreviewed·2022-05-14
CVE-2018-8831 [MEDIUM] CWE-79 GHSA-h8r8-r3f3-wmh3: A Persistent XSS vulnerability exists in Kodi (formerly XBMC) through 17
A Persistent XSS vulnerability exists in Kodi (formerly XBMC) through 17.6 that allows the execution of arbitrary HTML/script code in the context of the victim user's browser via a playlist.
OSV
CVE-2018-8831: A Persistent XSS vulnerability exists in Kodi (formerly XBMC) through 17
osv·2018-04-18·CVSS 6.1
CVE-2018-8831 [MEDIUM] CVE-2018-8831: A Persistent XSS vulnerability exists in Kodi (formerly XBMC) through 17
A Persistent XSS vulnerability exists in Kodi (formerly XBMC) through 17.6 that allows the execution of arbitrary HTML/script code in the context of the victim user's browser via a playlist.
Debian
CVE-2018-8831: kodi - A Persistent XSS vulnerability exists in Kodi (formerly XBMC) through 17.6 that ...
vendor_debian·2018·CVSS 6.1
CVE-2018-8831 [MEDIUM] CVE-2018-8831: kodi - A Persistent XSS vulnerability exists in Kodi (formerly XBMC) through 17.6 that ...
A Persistent XSS vulnerability exists in Kodi (formerly XBMC) through 17.6 that allows the execution of arbitrary HTML/script code in the context of the victim user's browser via a playlist.
Scope: local
bookworm: resolved
bullseye: resolved
sid: resolved
trixie: resolved
No detection rules found.
No writeups or analysis indexed.
2018-04-18
Published