CVE-2013-3565 in VLC Media Player
Summary
by MITRE
Multiple cross-site scripting (XSS) vulnerabilities in the HTTP Interface in VideoLAN VLC Media Player before 2.0.7 allow remote attackers to inject arbitrary web script or HTML via the (1) command parameter to requests/vlm_cmd.xml, (2) dir parameter to requests/browse.xml, or (3) URI in a request, which is returned in an error message through share/lua/intf/http.lua.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 04/27/2025
The vulnerability identified as CVE-2013-3565 represents a critical cross-site scripting weakness in VideoLAN VLC Media Player's HTTP interface, affecting versions prior to 2.0.7. This flaw exists within the media player's web-based management system that allows remote attackers to execute malicious scripts through carefully crafted HTTP requests. The vulnerability manifests in three distinct attack vectors that exploit different parameters within the HTTP interface, making it particularly dangerous as it provides multiple pathways for exploitation. The core issue stems from insufficient input validation and output sanitization within the HTTP interface components, specifically in the requests/vlm_cmd.xml, requests/browse.xml, and general URI handling mechanisms.
The technical exploitation of this vulnerability occurs through the manipulation of specific parameters that are processed by the share/lua/intf/http.lua script. When an attacker sends a malicious request containing crafted script code in the command parameter of vlm_cmd.xml, the dir parameter of browse.xml, or directly within the URI, the vulnerable media player fails to properly sanitize these inputs before returning them in error messages or response content. This lack of proper input filtering creates an environment where malicious JavaScript code can be executed within the context of a victim's browser session, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of the user. The vulnerability directly maps to CWE-79, which describes Cross-Site Scripting flaws, and specifically aligns with the CWE-79.104 variant that deals with insufficient output escaping in web applications.
The operational impact of CVE-2013-3565 extends beyond simple script injection, as it enables attackers to potentially compromise user sessions and perform unauthorized actions within the media player's interface. An attacker could exploit this vulnerability to gain access to the media player's configuration settings, manipulate playlist contents, or even execute commands on the host system if additional vulnerabilities exist. The attack requires no special privileges and can be executed remotely, making it particularly concerning for networked environments where the VLC media player's HTTP interface is exposed to untrusted networks. This vulnerability particularly affects users who have enabled the HTTP interface for remote management or streaming purposes, creating a persistent threat vector that remains active as long as the vulnerable interface remains accessible.
Mitigation strategies for this vulnerability should prioritize immediate patching of VLC Media Player to version 2.0.7 or later, which contains the necessary input validation and sanitization fixes. Organizations should also consider disabling the HTTP interface entirely when it is not required for operation, as this eliminates the attack surface entirely. Network segmentation and firewall rules can help restrict access to the HTTP interface to trusted IP addresses only, while implementing proper input validation at the application level can provide additional defense-in-depth measures. Security monitoring should be enhanced to detect suspicious HTTP requests containing script code patterns, and regular security assessments should verify that no other components of the media player infrastructure remain vulnerable to similar input handling issues. The vulnerability demonstrates the importance of following secure coding practices and adhering to the principle of least privilege when exposing web interfaces, particularly in media and entertainment software that may be deployed in diverse network environments.