CVE-2025-13588

Summary

A vulnerability was found in lKinderBueno Streamity Xtream IPTV Player up to 2.8. The impacted element is an unknown function of the file public/proxy.php. Performing manipulation results in server-side request forgery. The attack can be initiated remotely. The exploit has been made public and could be used. Upgrading to version 2.8.1 is sufficient to resolve this issue. The patch is named c70bfb8d36b47bfd64c5ec73917e1d9ddb97af92. It is suggested to upgrade the affected component.

Affected Software

VendorProductVersion RangeStatus
lKinderBuenoStreamity Xtream IPTV Player2.0affected
lKinderBuenoStreamity Xtream IPTV Player2.1affected
lKinderBuenoStreamity Xtream IPTV Player2.2affected
lKinderBuenoStreamity Xtream IPTV Player2.3affected
lKinderBuenoStreamity Xtream IPTV Player2.4affected
lKinderBuenoStreamity Xtream IPTV Player2.5affected
lKinderBuenoStreamity Xtream IPTV Player2.6affected
lKinderBuenoStreamity Xtream IPTV Player2.7affected
lKinderBuenoStreamity Xtream IPTV Player2.8affected
lKinderBuenoStreamity Xtream IPTV Player2.8.1unaffected

Weaknesses

  • CWE-918: Server-Side Request Forgery

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References