Description
Multiple cross-site scripting (XSS) vulnerabilities in LongTail Video JW Player through 5.10.2295 allow remote attackers to inject arbitrary web script or HTML via the (1) link, (2) logo.link, or (3) aboutlink parameter, or a nested URI scheme name for (4) javascript, (5) asfunction, or (6) vbscript.
Exploits (2)
exploitdb
WORKING POC
VERIFIED
by MustLive · textwebappsphp
https://www.exploit-db.com/exploits/37672
exploitdb
WORKING POC
VERIFIED
by MustLive · textwebappsphp
https://www.exploit-db.com/exploits/37552
References (6)
Core 6
Core References
Vendor Advisory x_refsource_misc
http://developer.longtailvideo.com/trac/ticket/1585
Third Party Advisory x_refsource_misc
http://technet.microsoft.com/security/msvr/msvr12-009
Third Party Advisory, VDB Entry x_refsource_misc
https://www.securityfocus.com/bid/54101/discuss
Third Party Advisory, VDB Entry x_refsource_misc
https://www.securityfocus.com/bid/55199/exploit
Third Party Advisory, VDB Entry x_refsource_misc
https://www.exploit-db.com/exploits/37552
Third Party Advisory, VDB Entry x_refsource_misc
https://www.exploit-db.com/exploits/37672
Scores
CVSS v3
6.1
EPSS
0.1014
EPSS Percentile
93.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (1)
longtailvideo/jw_player
< 5.10.2295
Published
Feb 20, 2020
Tracked Since
Feb 18, 2026