CVE-2013-3565 Information

Description

Multiple cross-site scripting (XSS) vulnerabilities in the HTTP Interface in VideoLAN VLC Media Player before 2.0.7 allow remote attackers to inject arbitrary web script or HTML via the (1) command parameter to requests/vlm_cmd.xml (2) dir parameter to requests/browse.xml or (3) URI in a request which is returned in an error message through share/lua/intf/http.lua.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Reference

http://git.videolan.org/gitweb.cgi/vlc.git/?p=vlc.git;a=commitdiff;h=bf02b8dd211d5a52aa301a9a2ff4e73ed8195881 http://lists.opensuse.org/opensuse-updates/2014-03/msg00001.html http://www.videolan.org/developers/vlc-branch/NEWS https://www3.trustwave.com/spiderlabs/advisories/TWSL2013-007.txt

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

REQUIRED

Confidentiality Impact

CHANGED

Integrity Impact

LOW

Availability Impact

LOW

Base Score

NONE

Base Severity

6.1