CVE-2013-2022

描述

Multiple cross-site scripting (XSS) vulnerabilities in actionscript/Jplayer.as in the Flash SWF component (jplayer.swf) in jPlayer before 2.3.0 allow remote attackers to inject arbitrary web script or HTML via the (1) jQuery or (2) id parameters, a different vulnerability than CVE-2013-1942 and CVE-2013-2023, as demonstrated by using the alert function in the jQuery parameter. NOTE: these are the same parameters as CVE-2013-1942, but the fix for CVE-2013-1942 uses a blacklist for the jQuery parameter.

如何修補 CVE-2013-2022

要修補 CVE-2013-2022,請將受影響套件升級到下列已修補版本。

• —升級至 2.3.0 或更新版本

CVE-2013-2022 正在被利用嗎?

低 — EPSS 為 0.6%,目前沒有觀察到大規模利用活動。

受影響套件(1)

• from 0, < 2.3.0

參考連結(11)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2013-2022
• PATCHgithub.com/jplayer/jPlayer
• WEBmarc.info/?l=oss-security&m=136570964825921&w=2
• WEBmarc.info/?l=oss-security&m=136726705917858&w=2
• WEB