CVE-2013-3565

MEDIUM

VLC Media Player < 2.0.7 - Cross-Site Scripting via HTTP Interface Parameters

Title source: llm
STIX 2.1

Description

Multiple cross-site scripting (XSS) vulnerabilities in the HTTP Interface in VideoLAN VLC Media Player before 2.0.7 allow remote attackers to inject arbitrary web script or HTML via the (1) command parameter to requests/vlm_cmd.xml, (2) dir parameter to requests/browse.xml, or (3) URI in a request, which is returned in an error message through share/lua/intf/http.lua.

Scores

CVSS v3 6.1
EPSS 0.0158
EPSS Percentile 72.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (2)
opensuse/opensuse 13.1
videolan/vlc_media_player < 2.0.7
Published Jan 31, 2020
Tracked Since Feb 18, 2026