oss-sec mailing list archives
Re: CVE-2013-1942 jPlayer 2.2.19 XSS
From: Kurt Seifried <kseifried () redhat com>
Date: Mon, 29 Apr 2013 13:30:09 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04/20/2013 11:19 AM, Mark Panaghiston wrote:
jPlayer 2.3.0 has been released that officially fixes this issue: http://www.jplayer.org/ https://github.com/happyworm/jPlayer Tagged as *2.3.0* on GitHub. https://github.com/happyworm/jPlayer/commit/c1c7a4dfa63bb6684d3670202e4a65d400dfce86 Full Release Notes for jPlayer 2.3.0: http://www.jplayer.org/2.3.0/release-notes/ In particular these fixes addressed security issues. Listed with their GitHub commits for code reference: [2.2.20] Security Fix: The Flash SWF had a security vulnerability that enabled XSS (Cross Site Scripting). Reported by Malte Batram. Security reference CVE-2013-1942 <https://access.redhat.com/security/cve/>. https://github.com/happyworm/jPlayer/commit/e8ca190f7f972a6a421cb95f09e138720e40ed6d
Sorry
for the late reply. Please use CVE-2013-2022 for this issue.
[2.2.23] Security Fix: The Flash SWF had a minor security vulnerability that enabled XSS (Cross Site Scripting). Reported by Eugene Dokukin. https://github.com/happyworm/jPlayer/commit/c5fe17bb4459164bd59153b57248cf94b8867373
Please
use CVE-2013-2023 for this issue.
Best regards, Mark Panaghiston jPlayer lead developer On 11/04/2013 20:47, Kurt Seifried wrote: ownCloud brought this to my intention (they use it, I'm guessing other people use it as well. https://github.com/happyworm/jPlayer/commit/e8ca190f7f972a6a421cb95f09e138720e40ed6d Please use CVE-2013-1942 for this issue. The only contact info I can find is hello () happyworm com for upstream. -- ------------------------------------------------------------------------
*Mark Panaghiston*
www.happyworm.com <http://www.happyworm.com/> tel: +44 (0) 131 346 8088 skype: mark_panaghiston follow: @thepag <http://www.twitter.com/thepag/> ------------------------------------------------------------------------
- --
Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQIcBAEBAgAGBQJRfspAAAoJEBYNRVNeJnmTSQsQAJSzXoKJYpLowjwVA/6hll42 Ay/q/rj94sKza/2MULvbX7ItscweRhfrD99GJZnuLBOl+ssqYsHkDk/oUqf5GfF9 F3j7hpk1cUQS6uEtCRn4VzmdqJZwb5y++xDuEG5WJVq1DVgm9qPPZmzkzz1bEuGi eVKHhzQ/cxSDQn+CQA4PxCu24XU9x+482LlGSfJLH1OAi9fz6ima0mCY/b5mwjV3 1bvGz6Wu6fUWDiK9VrZC7EOzHOAfTPU3os/vkb1T4XSqZztZMzHxhVTnD7e92Ym7 vxIQOrqtOKjAS9SDz7mjEU1yn2UOH2IArW3QSuwG53G0098eVzfPs2aM3NZLadhb ygycw81x3mUuWlA7U3YuXz6n8xZ/ywcQFnab1aCFt8Kvn1KTaJkZZvOwHgD4sFEF VhXjdjjSFwORbbF7fwFw0NNyk/2ro5Jat6wz+juCydN4O+21XA+OQCViKC8MsKdL 3fU5UA4Ymc7sqSJSLa8KVCc5Mu1mPf7HlyLaenvW5NJszjJCFI/IEvTQlJ7riBQB 8jdX7JtxCndS8DX/Mx4epn6rxaHSZ6lCtS6ApK/5FcMs6PyR8b2iOemCz+7E2E0O QqOaflMPYErKD2UifNGW2JOVCSxeMTJzmaRexqn29ziktDfQ17PAZDNZdVff0r4E 2OwwjlbshAu5V5RtaOYK =Mleh -----END PGP SIGNATURE-----
Current thread:
- Re: CVE-2013-1942 jPlayer 2.2.19 XSS Lukas Reschke (Apr 20)
- <Possible follow-ups>
- Re: CVE-2013-1942 jPlayer 2.2.19 XSS Kurt Seifried (Apr 29)
- Re: Re: CVE-2013-1942 jPlayer 2.2.19 XSS Salvatore Bonaccorso (May 03)
- Re: Re: CVE-2013-1942 jPlayer 2.2.19 XSS Kurt Seifried (May 04)
- Re: Re: CVE-2013-1942 jPlayer 2.2.19 XSS Steven M. Christey (Jun 27)
- Re: Re: CVE-2013-1942 jPlayer 2.2.19 XSS Salvatore Bonaccorso (May 03)