CVE-2013-2022

Description

Multiple cross-site scripting (XSS) vulnerabilities in actionscript/Jplayer.as in the Flash SWF component (jplayer.swf) in jPlayer before 2.3.0 allow remote attackers to inject arbitrary web script or HTML via the (1) jQuery or (2) id parameters, a different vulnerability than CVE-2013-1942 and CVE-2013-2023, as demonstrated by using the alert function in the jQuery parameter. NOTE: these are the same parameters as CVE-2013-1942, but the fix for CVE-2013-1942 uses a blacklist for the jQuery parameter.

How to fix CVE-2013-2022

To remediate CVE-2013-2022, upgrade the affected package to a fixed version below.

• —upgrade to 2.3.0 or later

Is CVE-2013-2022 being exploited?

Low — EPSS is 0.6%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 2.3.0

References (11)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2013-2022
• PATCHgithub.com/jplayer/jPlayer
• WEBmarc.info/?l=oss-security&m=136570964825921&w=2
• WEBmarc.info/?l=oss-security&m=136726705917858&w=2
• WEB