CVE-2012-2904

LongTail JW Player 5.9 - Cross-Site Scripting via Debug Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2012-2904. PoCs published by gainover.

AI-analyzed exploit summary This exploit demonstrates a cross-site scripting (XSS) vulnerability in JW Player by injecting arbitrary JavaScript code via the 'debug' parameter in the SWF file URL. The PoC triggers a simple alert, proving the lack of input sanitization.

Description

player.swf in LongTail JW Player 5.9 allows remote attackers to conduct cross-site scripting (XSS) attacks to inject arbitrary web script or HTML via multiple "javascript:" sequences in the debug parameter.

Exploits (1)

exploitdb WORKING POC VERIFIED
by gainover · textwebappsphp
https://www.exploit-db.com/exploits/37205

This exploit demonstrates a cross-site scripting (XSS) vulnerability in JW Player by injecting arbitrary JavaScript code via the 'debug' parameter in the SWF file URL. The PoC triggers a simple alert, proving the lack of input sanitization.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: JW Player (version not specified)
No auth needed
Prerequisites: Victim must visit a crafted URL
MITRE ATT&CK
mistral-large-3 · analyzed Feb 16, 2026 Full analysis →

References (7)

Core 7
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/75672
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/49130
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/53554
Exploit mailing-list x_refsource_fulldisc
http://seclists.org/fulldisclosure/2012/May/132

Scores

EPSS 0.0449
EPSS Percentile 90.4%

Details

CWE
CWE-79
Status published
Products (1)
longtailvideo/jw_player 5.9
Published May 21, 2012
Tracked Since Feb 18, 2026