CVE-2017-14142 in Kultura
Summary
by MITRE
Multiple cross-site scripting (XSS) vulnerabilities in Kaltura before 13.2.0 allow remote attackers to inject arbitrary web script or HTML via the (1) partnerId or (2) playerVersion parameter to server/admin_console/web/tools/bigRedButton.php; the (3) partnerId, (4) playerVersion, (5) secret, (6) entryId, (7) adminUiConfId, or (8) uiConfId parameter to server/admin_console/web/tools/bigRedButtonPtsPoc.php; the (9) streamUsername, (10) streamPassword, (11) streamRemoteId, (12) streamRemoteBackupId, or (13) entryId parameter to server/admin_console/web/tools/AkamaiBroadcaster.php; the (14) entryId parameter to server/admin_console/web/tools/XmlJWPlayer.php; or the (15) partnerId or (16) playerVersion parameter to server/alpha/web/lib/bigRedButtonPtsPocHlsjs.php.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 06/22/2024
The vulnerability described in CVE-2017-14142 represents a critical cross-site scripting issue affecting the Kaltura media platform prior to version 13.2.0. This vulnerability manifests across multiple endpoints within the administrative console, specifically targeting parameters used in various PHP scripts that handle user input without proper sanitization or validation. The affected components include bigRedButton.php, bigRedButtonPtsPoc.php, AkamaiBroadcaster.php, XmlJWPlayer.php, and bigRedButtonPtsPocHlsjs.php, all of which process user-supplied data that can be manipulated to execute malicious scripts within the context of authenticated users' browsers. These vulnerabilities fall under CWE-79 which specifically addresses Cross-Site Scripting flaws in software applications.
The technical exploitation of these vulnerabilities occurs when remote attackers provide malicious input through specified parameters that are directly reflected in the web application's response without appropriate output encoding or validation. When administrators or users access pages containing these reflected XSS payloads, the malicious scripts execute in their browsers, potentially leading to session hijacking, credential theft, or unauthorized administrative actions. The attack vectors span across multiple parameter types including partner identifiers, player versions, secret keys, entry identifiers, and configuration parameters, indicating a systemic lack of input validation across the administrative interface. This widespread nature of the vulnerability suggests that attackers could leverage any of these parameters to compromise the system's integrity and user sessions.
The operational impact of these XSS vulnerabilities is severe as they provide attackers with the capability to escalate privileges and perform unauthorized actions within the Kaltura administrative environment. An attacker could potentially manipulate the system to inject malicious code that would execute in the context of authenticated administrators, leading to complete compromise of the media platform. The vulnerability affects the administrative console tools that manage critical functions such as broadcast configuration, media entry management, and system configuration, making it particularly dangerous for organizations relying on Kaltura for content management. These vulnerabilities also align with ATT&CK technique T1059.007 which involves the execution of scripts through web shells or command-line interfaces, and T1566 which covers the use of malicious payloads delivered via web applications.
Organizations should immediately upgrade to Kaltura version 13.2.0 or later to remediate these vulnerabilities, as this release includes proper input validation and output encoding mechanisms that prevent the reflection of malicious scripts. Additionally, implementing proper content security policies, input sanitization, and regular security assessments of web applications can significantly reduce the risk of exploitation. Security teams should also consider implementing web application firewalls to detect and block suspicious parameter values, and conduct regular penetration testing to identify similar vulnerabilities in other components of their media infrastructure. The vulnerability highlights the importance of maintaining up-to-date security patches and implementing defense-in-depth strategies to protect against common web application vulnerabilities that can lead to complete system compromise.