CVE-2017-14142 Information

Feb 14, 2021 cve

Description

Multiple cross-site scripting (XSS) vulnerabilities in Kaltura before 13.2.0 allow remote attackers to inject arbitrary web script or HTML via the (1) partnerId or (2) playerVersion parameter to server/admin_console/web/tools/bigRedButton.php; the (3) partnerId (4) playerVersion (5) secret (6) entryId (7) adminUiConfId or (8) uiConfId parameter to server/admin_console/web/tools/bigRedButtonPtsPoc.php; the (9) streamUsername (10) streamPassword (11) streamRemoteId (12) streamRemoteBackupId or (13) entryId parameter to server/admin_console/web/tools/AkamaiBroadcaster.php; the (14) entryId parameter to server/admin_console/web/tools/XmlJWPlayer.php; or the (15) partnerId or (16) playerVersion parameter to server/alpha/web/lib/bigRedButtonPtsPocHlsjs.php.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Reference

http://www.securityfocus.com/bid/100976 https://github.com/kaltura/server/pull/6003/commits/7e00a578d6ba748f6d3bdc255a40a4a0a594e6f9 https://github.com/kaltura/server/pull/6003/commits/a63362aa87d668d5ebf4a89cdd5bb8b815ac7f70 https://telekomsecurity.github.io/assets/advisories/20170912_kaltura-advisory.txt

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

REQUIRED

Confidentiality Impact

CHANGED

Integrity Impact

LOW

Availability Impact

LOW

Base Score

NONE

Base Severity

6.1

Share on: