QID 997925
Date Published: 2024-04-03
QID 997925: NodeJs (Npm) Security Update for jplayer (GHSA-3jcq-cwr7-6332)
Multiple cross-site scripting (XSS) vulnerabilities in actionscript/Jplayer.as in the Flash SWF component (jplayer.swf) in jPlayer before 2.3.0 allow remote attackers to inject arbitrary web script or HTML via the (1) jQuery or (2) id parameters, a different vulnerability than CVE-2013-1942 and CVE-2013-2023, as demonstrated by using the alert function in the jQuery parameter. NOTE: these are the same parameters as CVE-2013-1942, but the fix for CVE-2013-1942 uses a blacklist for the jQuery parameter.
Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
Solution
Refer to Github security advisory GHSA-3jcq-cwr7-6332 for updates and patch information.
Vendor References
- GHSA-3jcq-cwr7-6332 -
github.com/advisories/GHSA-3jcq-cwr7-6332
CVEs related to QID 997925
Software Advisories
| Advisory ID | Software | Component | Link |
|---|---|---|---|
| GHSA-3jcq-cwr7-6332 | jplayer |
|