VideoLAN VLC Media Player up to 2.1.3 src/network/httpd.c url cross site scripting

| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 4.1 | $0-$5k | 0.00 |
Summary
A vulnerability was found in VideoLAN VLC Media Player up to 2.1.3. It has been rated as problematic. This affects an unknown function of the file src/network/httpd.c. This manipulation of the argument url with the input /te<script>alert("XSS");</script>st as part of GET Request causes cross site scripting.
The attack can be initiated remotely. Additionally, an exploit exists.
To fix this issue, it is recommended to deploy a patch.
Details
A vulnerability classified as problematic was found in VideoLAN VLC Media Player up to 2.1.3 (Multimedia Player Software). Affected by this vulnerability is an unknown function of the file src/network/httpd.c. The manipulation of the argument url with the input value /te<script>alert("XSS");</script>st leads to a cross site scripting vulnerability. The CWE definition for the vulnerability is CWE-80. The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages. As an impact it is known to affect integrity.
The bug was discovered 12/02/2013. The weakness was released 03/18/2014 by Francesco Perna and Pietro Minniti with Quantum Leap s.r.l as #QLA140216 as confirmed posting (Website). It is possible to read the advisory at quantumleap.it. The public release was coordinated with VideoLAN. The attack can be launched remotely. The exploitation doesn't need any form of authentication. It demands that the victim is doing some kind of user interaction. Technical details and also a public exploit are known. The attack technique deployed by this issue is T1059.007 according to MITRE ATT&CK.
A public exploit has been developed by Francesco Perna/Pietro Minniti in HTTP GET Request and been published immediately after the advisory. It is possible to download the exploit at quantumleap.it. It is declared as highly functional. The vulnerability was handled as a non-public zero-day exploit for at least 80 days. During that time the estimated underground price was around $0-$5k. The code used by the exploit is:
GET /te<script>alert("XSS");</script>st HTTP/1.1
Host: 192.168.1.101:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:22.0) Gecko/20100101 Firefox/22.0 Iceweasel/22.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Authorization: Basic OmNpYW8=
Connection: keep-aliveApplying a patch is able to eliminate this problem. The bugfix is ready for download at git.videolan.org. A possible mitigation has been published before and not just after the disclosure of the vulnerability.
The vulnerability is also documented in the databases at X-Force (92021) and SecurityFocus (BID 66307†). Additional details are provided at packetstormsecurity.com. Entry connected to this vulnerability is available at VDB-77263. Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Product
Type
Vendor
Name
Version
License
Website
- Vendor: https://www.videolan.org/
CPE 2.3
CPE 2.2
Screenshot

CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 4.3VulDB Meta Temp Score: 4.1
VulDB Base Score: 4.3
VulDB Temp Score: 4.1
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
Exploiting
Class: Cross site scriptingCWE: CWE-80 / CWE-74 / CWE-707
CAPEC: 🔍
ATT&CK: 🔍
Physical: No
Local: No
Remote: Yes
Availability: 🔍
Access: Public
Status: Highly functional
Author: Francesco Perna/Pietro Minniti
Programming Language: 🔍
Download: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: PatchStatus: 🔍
Reaction Time: 🔍
0-Day Time: 🔍
Exploit Delay Time: 🔍
Patch: git.videolan.org
Timeline
12/02/2013 🔍02/15/2014 🔍
02/20/2014 🔍
03/18/2014 🔍
03/18/2014 🔍
03/19/2014 🔍
03/26/2014 🔍
08/22/2016 🔍
Sources
Vendor: videolan.orgAdvisory: #QLA140216
Researcher: Francesco Perna, Pietro Minniti
Organization: Quantum Leap s.r.l
Status: Confirmed
Coordinated: 🔍
GCVE (VulDB): GCVE-100-12691
X-Force: 92021 - VLC Media Player httpd.c cross-site scripting, Medium Risk
SecurityFocus: 66307 - VLC Media Player 'src/network/httpd.c' Cross Site Scripting Vulnerability
scip Labs: https://www.scip.ch/en/?labs.20161013
Misc.: 🔍
See also: 🔍
Entry
Created: 03/26/2014 10:50Updated: 08/22/2016 10:11
Changes: 03/26/2014 10:50 (61), 08/22/2016 10:11 (9)
Complete: 🔍
Cache ID: 216::103
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
No comments yet. Languages: en.
Please log in to comment.