A vulnerability, which was classified as problematic, has been found in Kodi up to 17.6. Affected by this issue is an unknown part. The manipulation with an unknown input leads to a cross site scripting vulnerability (Persistent). Using CWE to declare the problem leads to CWE-79. The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. Impacted is integrity. CVE summarizes:

A Persistent XSS vulnerability exists in Kodi (formerly XBMC) through 17.6 that allows the execution of arbitrary HTML/script code in the context of the victim user's browser via a playlist.

The bug was discovered 04/18/2018. The weakness was presented 04/18/2018 as not defined mailinglist post (Full-Disclosure). The advisory is shared for download at seclists.org. This vulnerability is handled as CVE-2018-8831 since 03/20/2018. The attack may be launched remotely. No form of authentication is required for exploitation. Successful exploitation requires user interaction by the victim. Technical details are unknown but a public exploit is available. The MITRE ATT&CK project declares the attack technique as T1059.007.

The exploit is available at exploit-db.com. It is declared as proof-of-concept.

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

The vulnerability is also documented in the vulnerability database at Exploit-DB (44487).

Productinfo

Name

• Kodi

Version

• 17.0
• 17.1
• 17.2
• 17.3
• 17.4
• 17.5
• 17.6

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion