प्लेटफ़ॉर्म
php
घटक
open-media-player
में ठीक किया गया
1.0.1
1.1.1
1.2.1
1.3.1
1.4.1
1.5.1
CVE-2019-25086 is a cross-site scripting (XSS) vulnerability affecting Open Media Player versions 1.0 through 1.5.0. This vulnerability allows attackers to inject malicious scripts into web pages viewed by other users, potentially leading to session hijacking or defacement. The issue resides within the webvtt function of the application/controllers/timedtext.php file, specifically through manipulation of the ttml_url argument. A fix is available in version 1.5.1.
Successful exploitation of CVE-2019-25086 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can lead to a variety of malicious outcomes, including stealing session cookies, redirecting users to phishing sites, or injecting malicious content into the application's interface. The vulnerability's remote accessibility significantly broadens the attack surface, as it can be triggered without requiring prior authentication. The impact is amplified if the Open Media Player is integrated into a larger application, as the XSS vulnerability could be leveraged to compromise the entire system.
CVE-2019-25086 was publicly disclosed in December 2022. There is no indication of active exploitation campaigns targeting this vulnerability at this time. No proof-of-concept exploits are publicly available. The vulnerability is not listed on the CISA KEV catalog. The LOW CVSS score reflects the relatively limited impact and ease of mitigation.
Organizations using Open Media Player in their web applications, particularly those relying on older versions (1.0-1.5.0), are at risk. Shared hosting environments where multiple users share the same Open Media Player installation are especially vulnerable, as an attacker could potentially compromise other users' accounts.
• php: Examine application logs for requests to /application/controllers/timedtext.php with unusual or malformed ttml_url parameters. Use grep to search for patterns indicative of XSS payloads within these requests.
grep 'ttml_url=[^a-zA-Z0-9]' /path/to/access.log• generic web: Use curl to test the endpoint /application/controllers/timedtext.php with a crafted ttml_url parameter containing a basic XSS payload (e.g., <script>alert(1)</script>).
curl 'http://example.com/application/controllers/timedtext.php?ttml_url=<script>alert(1)</script>'discovery
disclosure
एक्सप्लॉइट स्थिति
EPSS
1.02% (77% शतमक)
CVSS वेक्टर
The primary mitigation for CVE-2019-25086 is to upgrade Open Media Player to version 1.5.1 or later, which includes the fix (patch 3f39f2d68d11895929c04f7b49b97a734ae7cd1f). If upgrading is not immediately feasible, consider implementing input validation and sanitization on the ttmlurl parameter to prevent malicious input. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. Review access logs for suspicious requests targeting the timedtext.php file with unusual ttmlurl parameters.
Actualice Open Media Player a la versión 1.5.1 o superior. Esta versión contiene una corrección para la vulnerabilidad de Cross-Site Scripting (XSS) en el archivo timedtext.php. La actualización mitigará el riesgo de ataques remotos que exploten esta vulnerabilidad.
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2019-25086 is a cross-site scripting (XSS) vulnerability in Open Media Player versions 1.0 through 1.5.0, allowing attackers to inject malicious scripts.
You are affected if you are using Open Media Player versions 1.0, 1.1, 1.2, 1.3, or 1.4.0. Upgrade to 1.5.1 or later to resolve the issue.
Upgrade Open Media Player to version 1.5.1 or later. Apply the patch 3f39f2d68d11895929c04f7b49b97a734ae7cd1f.
There is currently no evidence of active exploitation campaigns targeting CVE-2019-25086.
Refer to VDB-216862 for details on this vulnerability.
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।