CVE-2013-1971

Cross-site scripting (XSS) vulnerability in the MP3 Player module for Drupal 6.x allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via the file name of a MP3 file.

CVSS v2.0 2.1 LOW

2.1^/10

CVSS v2.0 : LOW

Vector : AV:N/AC:H/Au:S/C:N/I:P/A:N

Exploitability : 3.9 / Impact : 2.9

Access Vector NETWORK

Access Complexity HIGH

Authentication SINGLE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://www.securityfocus.com/bid/59276	Vendor Advisory
https://drupal.org/node/1972804	Vendor Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/83649

Configurations

Configuration 1 (hide)

AND

OR	cpe:2.3:a:jordan_de_laune:mp3_player::::::::
	cpe:2.3:a:jordan_de_laune:mp3_player:6.x-1.0:::::::*
	cpe:2.3:a:jordan_de_laune:mp3_player:6.x-1.0:beta1::::::

cpe:2.3:a:drupal:drupal:-:*:*:*:*:*:*:*

History

No history.

Information

Published : 2013-06-25 18:55

Updated : 2024-02-28 12:00

NVD link : CVE-2013-1971

Mitre link : CVE-2013-1971

CVE.ORG link : CVE-2013-1971

JSON object : View

Products Affected

jordan_de_laune

mp3_player

drupal

drupal

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2013-1971", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 2.1, "accessVector": "NETWORK", "vectorString": "AV:N/AC:H/Au:S/C:N/I:P/A:N", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "HIGH", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 3.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}]}, "published": "2013-06-25T18:55:01.220", "references": [{"url": "http://www.securityfocus.com/bid/59276", "tags": ["Vendor Advisory"], "source": "secalert@redhat.com"}, {"url": "https://drupal.org/node/1972804", "tags": ["Vendor Advisory"], "source": "secalert@redhat.com"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/83649", "source": "secalert@redhat.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Cross-site scripting (XSS) vulnerability in the MP3 Player module for Drupal 6.x allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via the file name of a MP3 file."}, {"lang": "es", "value": "M\u00faltiples vulnerabilidades de cross-site scripting (XSS) en el m\u00f3dulo MP3 Player para Drupal v6.x que permite a usuarios autenticados remotamente inyectar c\u00f3digo script o HTML a trav\u00e9s del nombre del fichero MP3."}], "lastModified": "2017-08-29T01:33:13.200", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:jordan_de_laune:mp3_player:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BF98C9F6-5ADF-485D-9601-B172347C0BAB", "versionEndIncluding": "6.x-1.1"}, {"criteria": "cpe:2.3:a:jordan_de_laune:mp3_player:6.x-1.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2B0FF0A6-85B9-4F3B-94C2-5702DE3FA586"}, {"criteria": "cpe:2.3:a:jordan_de_laune:mp3_player:6.x-1.0:beta1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F9BBAFC4-5A65-40BC-A370-43EC9CEB7AAB"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:drupal:drupal:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "F8B1170D-AD33-4C7A-892D-63AC71B032CF"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "secalert@redhat.com"}