CVE-2017-20219

Summary

Serviio PRO 1.8 DLNA Media Streaming Server contains a DOM-based cross-site scripting vulnerability that allows attackers to execute arbitrary HTML and script code by injecting malicious payloads. Attackers can craft URLs with malicious input that is read from document.location and passed to document.write() in the mediabrowser component to execute code in a user's browser context.

Affected Software

VendorProductVersion RangeStatus
ServiioServiio PRO1.8.0.0 PROaffected
ServiioServiio PRO1.7.1affected
ServiioServiio PRO1.7.0affected
ServiioServiio PRO1.6.1affected

Weaknesses

  • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

References