CVE-2013-3565
MEDIUMVLC Media Player < 2.0.7 - Cross-Site Scripting via HTTP Interface Parameters
Title source: llmDescription
Multiple cross-site scripting (XSS) vulnerabilities in the HTTP Interface in VideoLAN VLC Media Player before 2.0.7 allow remote attackers to inject arbitrary web script or HTML via the (1) command parameter to requests/vlm_cmd.xml, (2) dir parameter to requests/browse.xml, or (3) URI in a request, which is returned in an error message through share/lua/intf/http.lua.
References (4)
Core 4
Core References
Patch x_refsource_misc
http://git.videolan.org/gitweb.cgi/vlc.git/?p=vlc.git%3Ba=commitdiff%3Bh=bf02b8dd211d5a52aa301a9a2ff4e73ed8195881
Release Notes x_refsource_misc
http://www.videolan.org/developers/vlc-branch/NEWS
Exploit, Third Party Advisory x_refsource_misc
https://www3.trustwave.com/spiderlabs/advisories/TWSL2013-007.txt
Third Party Advisory x_refsource_misc
http://lists.opensuse.org/opensuse-updates/2014-03/msg00001.html
Scores
CVSS v3
6.1
EPSS
0.0158
EPSS Percentile
72.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (2)
opensuse/opensuse
13.1
videolan/vlc_media_player
< 2.0.7
Published
Jan 31, 2020
Tracked Since
Feb 18, 2026