Description
Multiple cross-site scripting (XSS) vulnerabilities in actionscript/Jplayer.as in the Flash SWF component (jplayer.swf) in jPlayer before 2.2.20, as used in ownCloud Server before 5.0.4 and other products, allow remote attackers to inject arbitrary web script or HTML via the (1) jQuery or (2) id parameters, as demonstrated using document.write in the jQuery parameter, a different vulnerability than CVE-2013-2022 and CVE-2013-2023.
Exploits (1)
exploitdb
WORKING POC
VERIFIED
by Malte Batram · textwebappsjsp
https://www.exploit-db.com/exploits/38460
References (8)
Core 8
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/59030
Mailing List mailing-list
x_refsource_mlist
http://marc.info/?l=oss-security&m=136773622321563&w=2
Mailing List mailing-list
x_refsource_mlist
http://marc.info/?l=oss-security&m=136570964825921&w=2
Various Sources x_refsource_confirm
http://www.jplayer.org/2.3.0/release-notes/
Vendor Advisory x_refsource_confirm
http://owncloud.org/about/security/advisories/oC-SA-2013-014/
Exploit, Patch x_refsource_confirm
https://github.com/happyworm/jPlayer/commit/e8ca190f7f972a6a421cb95f09e138720e40ed6d
Mailing List mailing-list
x_refsource_fulldisc
http://seclists.org/fulldisclosure/2013/Apr/192
Mailing List mailing-list
x_refsource_mlist
http://marc.info/?l=oss-security&m=136726705917858&w=2
Scores
EPSS
0.0880
EPSS Percentile
92.6%
Details
CWE
CWE-79
Status
published
Products (50)
happyworm/jplayer
0.2.1 beta
happyworm/jplayer
0.2.2 beta
happyworm/jplayer
0.2.3 beta
happyworm/jplayer
0.2.4 beta
happyworm/jplayer
0.2.5 beta
happyworm/jplayer
1.0.0
happyworm/jplayer
1.1.0
happyworm/jplayer
1.1.1
happyworm/jplayer
1.2.0
happyworm/jplayer
2.0.0
... and 40 more
Published
Aug 15, 2013
Tracked Since
Feb 18, 2026