Multiple Cross-Site Scripting Vulnerabilities in VideoLAN VLC Media Player
CVE-2013-3565

6.1MEDIUM

Key Information:

Vendor
Videolan
Status
Vlc Media Player
Vendor
CVE Published:
31 January 2020

Summary

The VLC Media Player contains multiple XSS vulnerabilities in its HTTP interface prior to version 2.0.7. Attackers can exploit these weaknesses by injecting arbitrary web scripts or HTML through specific parameters in requests, including 'command' in requests/vlm_cmd.xml, 'dir' in requests/browse.xml, or a URI in an error message response. This could lead to unauthorized actions being performed in the context of the user's session when interacting with the VLC Media Player.

References

http://www.videolan.org/developers/vlc-branch/NEWS
x_refsource_MISC
https://www3.trustwave.com/spiderlabs/advisories/TWSL2013...
x_refsource_MISC
http://git.videolan.org/gitweb.cgi/vlc.git/?p=vlc.git%3Ba...
x_refsource_MISC

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.