CVE-2013-1942
jPlayer < 2.2.20 - Cross-Site Scripting via jQuery or id Parameters
Title source: llmExploitation Summary
EIP tracks 1 public exploit for CVE-2013-1942. PoCs published by Malte Batram.
AI-analyzed exploit summary This exploit demonstrates a cross-site scripting (XSS) vulnerability in jPlayer by injecting malicious script code via the 'id' parameter in the SWF file URL. The payload uses a crafted image tag with an 'onerror' event to execute arbitrary JavaScript.
Description
Multiple cross-site scripting (XSS) vulnerabilities in actionscript/Jplayer.as in the Flash SWF component (jplayer.swf) in jPlayer before 2.2.20, as used in ownCloud Server before 5.0.4 and other products, allow remote attackers to inject arbitrary web script or HTML via the (1) jQuery or (2) id parameters, as demonstrated using document.write in the jQuery parameter, a different vulnerability than CVE-2013-2022 and CVE-2013-2023.
Exploits (1)
This exploit demonstrates a cross-site scripting (XSS) vulnerability in jPlayer by injecting malicious script code via the 'id' parameter in the SWF file URL. The payload uses a crafted image tag with an 'onerror' event to execute arbitrary JavaScript.