CVE-2018-7203

MEDIUM

Twonky Server 7.0.11-8.5 - Cross-Site Scripting via Friendlyname Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-7203. PoCs published by Sven Fassbender.

AI-analyzed exploit summary This is a writeup describing a persistent XSS vulnerability in TwonkyMedia Server versions 7.0.11 to 8.5. The vulnerability allows an attacker to inject JavaScript code via the 'Servername' input field, which executes when the web interface is accessed.

Description

Cross-site scripting (XSS) vulnerability in Twonky Server 7.0.11 through 8.5 allows remote attackers to inject arbitrary web script or HTML via the friendlyname parameter to rpc/set_all.

Exploits (1)

exploitdb WRITEUP
by Sven Fassbender · textwebappsmultiple
https://www.exploit-db.com/exploits/44351

This is a writeup describing a persistent XSS vulnerability in TwonkyMedia Server versions 7.0.11 to 8.5. The vulnerability allows an attacker to inject JavaScript code via the 'Servername' input field, which executes when the web interface is accessed.

Classification
Writeup 100%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: TwonkyMedia Server 7.0.11-8.5
No auth needed
Prerequisites: Network access to the TwonkyMedia Server web interface
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/44351/

Scores

CVSS v3 6.1
EPSS 0.0242
EPSS Percentile 82.0%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (1)
lynxtechnology/twonky_server 7.0.11 - 8.5
Published Mar 30, 2018
Tracked Since Feb 18, 2026