All the vulnerabilites related to FolioVision - FV Flowplayer Video Player
jvndb-2018-000078
Vulnerability from jvndb
Published
2018-07-17 12:27
Modified
2019-07-25 17:12
Severity ?
Summary
WordPress plugin "FV Flowplayer Video Player" vulnerable to cross-site scripting
Details
The WordPress plugin "FV Flowplayer Video Player" provided by Foliovision contains a cross-site scripting vulnerability (CWE-79). Chris Liu reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Impacted products
Show details on JVN DB website


{
  "@rdf:about": "https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000078.html",
  "dc:date": "2019-07-25T17:12+09:00",
  "dcterms:issued": "2018-07-17T12:27+09:00",
  "dcterms:modified": "2019-07-25T17:12+09:00",
  "description": "The WordPress plugin \"FV Flowplayer Video Player\" provided by Foliovision contains a cross-site scripting vulnerability (CWE-79).\r\n\r\nChris Liu reported this vulnerability to IPA.\r\n JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
  "link": "https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000078.html",
  "sec:cpe": {
    "#text": "cpe:/a:foliovision:fv_flowplayer_video_player",
    "@product": "FV Flowplayer Video Player",
    "@vendor": "FolioVision",
    "@version": "2.2"
  },
  "sec:cvss": [
    {
      "@score": "2.6",
      "@severity": "Low",
      "@type": "Base",
      "@vector": "AV:N/AC:H/Au:N/C:N/I:P/A:N",
      "@version": "2.0"
    },
    {
      "@score": "6.1",
      "@severity": "Medium",
      "@type": "Base",
      "@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "@version": "3.0"
    }
  ],
  "sec:identifier": "JVNDB-2018-000078",
  "sec:references": [
    {
      "#text": "http://jvn.jp/en/jp/JVN70246549/index.html",
      "@id": "JVN#70246549",
      "@source": "JVN"
    },
    {
      "#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0642",
      "@id": "CVE-2018-0642",
      "@source": "CVE"
    },
    {
      "#text": "https://nvd.nist.gov/vuln/detail/CVE-2018-0642",
      "@id": "CVE-2018-0642",
      "@source": "NVD"
    },
    {
      "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
      "@id": "CWE-79",
      "@title": "Cross-site Scripting(CWE-79)"
    }
  ],
  "title": "WordPress plugin \"FV Flowplayer Video Player\" vulnerable to cross-site scripting"
}

cve-2023-25066
Vulnerability from cvelistv5
Published
2023-02-14 05:32
Modified
2024-08-02 11:11
Summary
Cross-Site Request Forgery (CSRF) vulnerability in FolioVision FV Flowplayer Video Player plugin <= 7.5.30.7212 versions.
Impacted products
Vendor Product Version
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T11:11:43.467Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "vdb-entry",
              "x_transferred"
            ],
            "url": "https://patchstack.com/database/vulnerability/fv-wordpress-flowplayer/wordpress-fv-flowplayer-video-player-plugin-7-5-30-7212-cross-site-request-forgery-csrf?_s_id=cve"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://wordpress.org/plugins",
          "defaultStatus": "unaffected",
          "packageName": "fv-wordpress-flowplayer",
          "product": "FV Flowplayer Video Player",
          "vendor": "FolioVision",
          "versions": [
            {
              "changes": [
                {
                  "at": "7.5.31.7212",
                  "status": "unaffected"
                }
              ],
              "lessThanOrEqual": "7.5.30.7212",
              "status": "affected",
              "version": "n/a",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "user": "00000000-0000-4000-9000-000000000000",
          "value": "Cat (Patchstack Alliance)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Cross-Site Request Forgery (CSRF) vulnerability in FolioVision FV Flowplayer Video Player plugin \u0026lt;=\u003cspan style=\"background-color: var(--wht);\"\u003e\u0026nbsp;7.5.30.7212 versions.\u003c/span\u003e"
            }
          ],
          "value": "Cross-Site Request Forgery (CSRF) vulnerability in FolioVision FV Flowplayer Video Player plugin \u003c=\u00a07.5.30.7212 versions."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-62",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-62 Cross Site Request Forgery"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-352",
              "description": "CWE-352 Cross-Site Request Forgery (CSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-02-14T05:32:00.895Z",
        "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "shortName": "Patchstack"
      },
      "references": [
        {
          "tags": [
            "vdb-entry"
          ],
          "url": "https://patchstack.com/database/vulnerability/fv-wordpress-flowplayer/wordpress-fv-flowplayer-video-player-plugin-7-5-30-7212-cross-site-request-forgery-csrf?_s_id=cve"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Update to\u0026nbsp;7.5.31.7212 or a higher version."
            }
          ],
          "value": "Update to\u00a07.5.31.7212 or a higher version."
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "WordPress FV Flowplayer Video Player Plugin \u003c= 7.5.30.7212 is vulnerable to Cross Site Request Forgery (CSRF)",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
    "assignerShortName": "Patchstack",
    "cveId": "CVE-2023-25066",
    "datePublished": "2023-02-14T05:32:00.895Z",
    "dateReserved": "2023-02-02T09:58:52.947Z",
    "dateUpdated": "2024-08-02T11:11:43.467Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2024-5020
Vulnerability from cvelistv5
Published
2024-12-04 08:22
Modified
2024-12-04 14:09
Summary
Multiple plugins for WordPress are vulnerable to Stored Cross-Site Scripting via the plugin's bundled FancyBox JavaScript library (versions 1.3.4 to 3.5.7) in various versions due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-5020",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-12-04T14:02:27.273797Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-12-04T14:09:09.188Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Colibri Page Builder",
          "vendor": "extendthemes",
          "versions": [
            {
              "lessThanOrEqual": "1.0.286",
              "status": "affected",
              "version": "*",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Gallery Plugin for WordPress \u2013 Envira Photo Gallery",
          "vendor": "smub",
          "versions": [
            {
              "lessThanOrEqual": "1.8.15",
              "status": "affected",
              "version": "*",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Accordion Slider",
          "vendor": "bqworks",
          "versions": [
            {
              "lessThanOrEqual": "1.9.12",
              "status": "affected",
              "version": "*",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Form Maker by 10Web \u2013 Mobile-Friendly Drag \u0026 Drop Contact Form Builder",
          "vendor": "10web",
          "versions": [
            {
              "lessThanOrEqual": "1.15.27",
              "status": "affected",
              "version": "*",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Getwid \u2013 Gutenberg Blocks",
          "vendor": "jetmonsters",
          "versions": [
            {
              "lessThanOrEqual": "2.0.11",
              "status": "affected",
              "version": "*",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Firelight Lightbox",
          "vendor": "firelightwp",
          "versions": [
            {
              "lessThanOrEqual": "2.3.3",
              "status": "affected",
              "version": "*",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Responsive Lightbox \u0026 Gallery",
          "vendor": "dfactory",
          "versions": [
            {
              "lessThanOrEqual": "2.4.8",
              "status": "affected",
              "version": "*",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Carousel, Slider, Gallery by WP Carousel \u2013 Image Carousel with Lightbox \u0026 Photo Gallery, Video Slider, Post Carousel \u0026 Post Grid, Product Carousel \u0026 Product Grid",
          "vendor": "shapedplugin",
          "versions": [
            {
              "lessThanOrEqual": "2.6.8",
              "status": "affected",
              "version": "*",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "FancyBox for WordPress",
          "vendor": "colorlibplugins",
          "versions": [
            {
              "lessThanOrEqual": "3.3.4",
              "status": "affected",
              "version": "*",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Visual Portfolio, Photo Gallery \u0026 Post Grid",
          "vendor": "nko",
          "versions": [
            {
              "lessThanOrEqual": "3.3.9",
              "status": "affected",
              "version": "*",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Photo Gallery, Sliders, Proofing and Themes \u2013 NextGEN Gallery",
          "vendor": "smub",
          "versions": [
            {
              "lessThanOrEqual": "3.59.4",
              "status": "affected",
              "version": "*",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "WPC Smart Quick View for WooCommerce",
          "vendor": "wpclever",
          "versions": [
            {
              "lessThanOrEqual": "4.1.1",
              "status": "affected",
              "version": "*",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Easy Social Feed Premium",
          "vendor": "Easy Social Feed",
          "versions": [
            {
              "lessThanOrEqual": "6.6.2",
              "status": "affected",
              "version": "*",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "FV Flowplayer Video Player",
          "vendor": "foliovision",
          "versions": [
            {
              "lessThanOrEqual": "7.5.47.7212",
              "status": "affected",
              "version": "*",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Craig Smith"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Multiple plugins for WordPress are vulnerable to Stored Cross-Site Scripting via the plugin\u0027s bundled FancyBox JavaScript library (versions 1.3.4 to 3.5.7) in various versions due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 6.4,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-12-04T08:22:46.855Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d99d4b9a-aa09-434d-91a8-7afaa0e8b5db?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset/3150376/woo-smart-quick-view"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset/3153081/colibri-page-builder"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset/3157076/nextgen-gallery"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset/3158415/envira-gallery-lite"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset/3156791/form-maker"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset/3160432/visual-portfolio"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset/3161422/fv-wordpress-flowplayer"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset/3160232/easy-fancybox"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset/3161892/wp-carousel-free"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset/3173097/responsive-lightbox"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3175577%40getwid%2Ftrunk\u0026old=3119180%40getwid%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3186301%40fancybox-for-wordpress%2Ftrunk\u0026old=3058912%40fancybox-for-wordpress%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset/3169926/accordion-slider"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2024-12-03T00:00:00.000+00:00",
          "value": "Disclosed"
        }
      ],
      "title": "Multiple Plugins \u003c= (Various Versions) - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via FancyBox JavaScript Library"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2024-5020",
    "datePublished": "2024-12-04T08:22:46.855Z",
    "dateReserved": "2024-05-16T16:50:11.363Z",
    "dateUpdated": "2024-12-04T14:09:09.188Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2023-4520
Vulnerability from cvelistv5
Published
2023-08-25 02:40
Modified
2024-08-02 07:31
Summary
The FV Flowplayer Video Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘_fv_player_user_video’ parameter saved via the 'save' function hooked via init, and the plugin is also vulnerable to Arbitrary Usermeta Update via the 'save' function in versions up to, and including, 7.5.37.7212 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page, and makes it possible to update the user metas arbitrarily, but the meta value can only be a string.
Impacted products
Vendor Product Version
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T07:31:06.583Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c55ca7d4-6bc0-49c9-8ce0-50fff8775a76?source=cve"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://plugins.trac.wordpress.org/changeset/2957322/fv-wordpress-flowplayer#file2"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://plugins.trac.wordpress.org/browser/fv-wordpress-flowplayer/tags/7.5.36.7212/models/custom-videos.php#L341"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "FV Flowplayer Video Player",
          "vendor": "foliovision",
          "versions": [
            {
              "lessThanOrEqual": "7.5.37.7212",
              "status": "affected",
              "version": "*",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Lana Codes"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The FV Flowplayer Video Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018_fv_player_user_video\u2019 parameter saved via the \u0027save\u0027 function hooked via init, and the plugin is also vulnerable to Arbitrary Usermeta Update via the \u0027save\u0027 function in versions up to, and including, 7.5.37.7212 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page, and makes it possible to update the user metas arbitrarily, but the meta value can only be a string."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-08-25T02:40:08.903Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c55ca7d4-6bc0-49c9-8ce0-50fff8775a76?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset/2957322/fv-wordpress-flowplayer#file2"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/fv-wordpress-flowplayer/tags/7.5.36.7212/models/custom-videos.php#L341"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2023-07-28T00:00:00.000+00:00",
          "value": "Discovered"
        },
        {
          "lang": "en",
          "time": "2023-07-30T00:00:00.000+00:00",
          "value": "Vendor Notified"
        },
        {
          "lang": "en",
          "time": "2023-08-24T00:00:00.000+00:00",
          "value": "Disclosed"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2023-4520",
    "datePublished": "2023-08-25T02:40:08.903Z",
    "dateReserved": "2023-08-24T14:17:58.343Z",
    "dateUpdated": "2024-08-02T07:31:06.583Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2023-30499
Vulnerability from cvelistv5
Published
2023-08-18 14:41
Modified
2024-09-25 16:42
Summary
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in FolioVision FV Flowplayer Video Player plugin <= 7.5.32.7212 versions.
Impacted products
Vendor Product Version
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T14:28:51.545Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "vdb-entry",
              "x_transferred"
            ],
            "url": "https://patchstack.com/database/vulnerability/fv-wordpress-flowplayer/wordpress-fv-flowplayer-video-player-plugin-7-5-32-7212-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-30499",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-25T16:14:16.725678Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-25T16:42:35.122Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://wordpress.org/plugins",
          "defaultStatus": "unaffected",
          "packageName": "fv-wordpress-flowplayer",
          "product": "FV Flowplayer Video Player",
          "vendor": "FolioVision",
          "versions": [
            {
              "changes": [
                {
                  "at": "7.5.35.7212",
                  "status": "unaffected"
                }
              ],
              "lessThanOrEqual": "7.5.32.7212",
              "status": "affected",
              "version": "n/a",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "user": "00000000-0000-4000-9000-000000000000",
          "value": "LEE SE HYOUNG (Patchstack Alliance)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in FolioVision FV Flowplayer Video Player plugin \u0026lt;=\u003cspan style=\"background-color: var(--wht);\"\u003e\u0026nbsp;7.5.32.7212 versions.\u003c/span\u003e"
            }
          ],
          "value": "Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in FolioVision FV Flowplayer Video Player plugin \u003c=\u00a07.5.32.7212 versions."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-591",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-591 Reflected XSS"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-08-18T14:41:03.606Z",
        "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "shortName": "Patchstack"
      },
      "references": [
        {
          "tags": [
            "vdb-entry"
          ],
          "url": "https://patchstack.com/database/vulnerability/fv-wordpress-flowplayer/wordpress-fv-flowplayer-video-player-plugin-7-5-32-7212-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Update to\u0026nbsp;7.5.35.7212 or a higher version."
            }
          ],
          "value": "Update to\u00a07.5.35.7212 or a higher version."
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "WordPress FV Flowplayer Video Player Plugin \u003c= 7.5.32.7212 is vulnerable to Cross Site Scripting (XSS)",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
    "assignerShortName": "Patchstack",
    "cveId": "CVE-2023-30499",
    "datePublished": "2023-08-18T14:41:03.606Z",
    "dateReserved": "2023-04-11T14:13:43.801Z",
    "dateUpdated": "2024-09-25T16:42:35.122Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2024-6338
Vulnerability from cvelistv5
Published
2024-07-19 07:36
Modified
2024-08-01 21:33
Summary
The FV Flowplayer Video Player plugin for WordPress is vulnerable to time-based SQL Injection via the ‘exclude’ parameter in all versions up to, and including, 7.5.46.7212 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Impacted products
Vendor Product Version
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:foliovision:fv_flowplayer_video_player:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "fv_flowplayer_video_player",
            "vendor": "foliovision",
            "versions": [
              {
                "lessThanOrEqual": "7.5.46.7212",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-6338",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-07-19T13:27:30.823145Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-07-19T13:29:00.610Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-01T21:33:05.459Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d4185a0e-d944-408f-8a43-8f9c6bc3964d?source=cve"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://plugins.trac.wordpress.org/browser/fv-wordpress-flowplayer/trunk/models/video-encoder/class.fv-player-encoder-list-table.php#L308"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://wordpress.org/plugins/fv-wordpress-flowplayer/#developers"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://plugins.trac.wordpress.org/changeset/3121532/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "FV Flowplayer Video Player",
          "vendor": "foliovision",
          "versions": [
            {
              "lessThanOrEqual": "7.5.46.7212",
              "status": "affected",
              "version": "*",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Arkadiusz Hydzik"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The FV Flowplayer Video Player plugin for WordPress is vulnerable to time-based SQL Injection via the \u2018exclude\u2019 parameter in all versions up to, and including, 7.5.46.7212 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.  This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-89",
              "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-07-19T07:36:48.921Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d4185a0e-d944-408f-8a43-8f9c6bc3964d?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/fv-wordpress-flowplayer/trunk/models/video-encoder/class.fv-player-encoder-list-table.php#L308"
        },
        {
          "url": "https://wordpress.org/plugins/fv-wordpress-flowplayer/#developers"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset/3121532/"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2024-07-18T19:26:14.000+00:00",
          "value": "Disclosed"
        }
      ],
      "title": "FV Player \u003c= 7.5.46.7212 - Authenticated (Subscriber+) SQL Injection via exclude Parameter"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2024-6338",
    "datePublished": "2024-07-19T07:36:48.921Z",
    "dateReserved": "2024-06-25T21:20:35.569Z",
    "dateUpdated": "2024-08-01T21:33:05.459Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2024-32955
Vulnerability from cvelistv5
Published
2024-04-24 07:05
Modified
2024-08-02 02:27
Summary
Server-Side Request Forgery (SSRF) vulnerability in Foliovision FV Flowplayer Video Player.This issue affects FV Flowplayer Video Player: from n/a through 7.5.43.7212.
Impacted products
Vendor Product Version
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-32955",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-07-16T15:04:20.908669Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-07-16T15:04:30.512Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T02:27:52.404Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "vdb-entry",
              "x_transferred"
            ],
            "url": "https://patchstack.com/database/vulnerability/fv-wordpress-flowplayer/wordpress-fv-flowplayer-video-player-plugin-7-5-43-7212-server-side-request-forgery-ssrf-vulnerability?_s_id=cve"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://wordpress.org/plugins",
          "defaultStatus": "unaffected",
          "packageName": "fv-wordpress-flowplayer",
          "product": "FV Flowplayer Video Player",
          "vendor": "Foliovision",
          "versions": [
            {
              "changes": [
                {
                  "at": "7.5.45.7212",
                  "status": "unaffected"
                }
              ],
              "lessThanOrEqual": "7.5.43.7212",
              "status": "affected",
              "version": "n/a",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "user": "00000000-0000-4000-9000-000000000000",
          "value": "Steven Julian (Patchstack Alliance)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Server-Side Request Forgery (SSRF) vulnerability in Foliovision FV Flowplayer Video Player.\u003cp\u003eThis issue affects FV Flowplayer Video Player: from n/a through 7.5.43.7212.\u003c/p\u003e"
            }
          ],
          "value": "Server-Side Request Forgery (SSRF) vulnerability in Foliovision FV Flowplayer Video Player.This issue affects FV Flowplayer Video Player: from n/a through 7.5.43.7212.\n\n"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-918",
              "description": "CWE-918 Server-Side Request Forgery (SSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-04-24T07:05:43.260Z",
        "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "shortName": "Patchstack"
      },
      "references": [
        {
          "tags": [
            "vdb-entry"
          ],
          "url": "https://patchstack.com/database/vulnerability/fv-wordpress-flowplayer/wordpress-fv-flowplayer-video-player-plugin-7-5-43-7212-server-side-request-forgery-ssrf-vulnerability?_s_id=cve"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Update to 7.5.45.7212 or a higher version."
            }
          ],
          "value": "Update to 7.5.45.7212 or a higher version."
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "WordPress FV Flowplayer Video Player plugin \u003c= 7.5.43.7212 - Server Side Request Forgery (SSRF) vulnerability",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
    "assignerShortName": "Patchstack",
    "cveId": "CVE-2024-32955",
    "datePublished": "2024-04-24T07:05:43.260Z",
    "dateReserved": "2024-04-22T10:41:46.934Z",
    "dateUpdated": "2024-08-02T02:27:52.404Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2018-0642
Vulnerability from cvelistv5
Published
2018-09-07 14:00
Modified
2024-08-05 03:35
Severity ?
Summary
Cross-site scripting vulnerability in FV Flowplayer Video Player 6.1.2 to 6.6.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
References
Impacted products
Vendor Product Version
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T03:35:48.652Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://wordpress.org/plugins/fv-wordpress-flowplayer/#developers"
          },
          {
            "name": "JVN#70246549",
            "tags": [
              "third-party-advisory",
              "x_refsource_JVN",
              "x_transferred"
            ],
            "url": "http://jvn.jp/en/jp/JVN70246549/index.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "FV Flowplayer Video Player",
          "vendor": "Foliovision",
          "versions": [
            {
              "status": "affected",
              "version": "6.1.2 to 6.6.4"
            }
          ]
        }
      ],
      "datePublic": "2018-07-02T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Cross-site scripting vulnerability in FV Flowplayer Video Player 6.1.2 to 6.6.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Cross-site scripting",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-09-07T13:57:01",
        "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "shortName": "jpcert"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://wordpress.org/plugins/fv-wordpress-flowplayer/#developers"
        },
        {
          "name": "JVN#70246549",
          "tags": [
            "third-party-advisory",
            "x_refsource_JVN"
          ],
          "url": "http://jvn.jp/en/jp/JVN70246549/index.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "vultures@jpcert.or.jp",
          "ID": "CVE-2018-0642",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "FV Flowplayer Video Player",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "6.1.2 to 6.6.4"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Foliovision"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Cross-site scripting vulnerability in FV Flowplayer Video Player 6.1.2 to 6.6.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Cross-site scripting"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://wordpress.org/plugins/fv-wordpress-flowplayer/#developers",
              "refsource": "CONFIRM",
              "url": "https://wordpress.org/plugins/fv-wordpress-flowplayer/#developers"
            },
            {
              "name": "JVN#70246549",
              "refsource": "JVN",
              "url": "http://jvn.jp/en/jp/JVN70246549/index.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
    "assignerShortName": "jpcert",
    "cveId": "CVE-2018-0642",
    "datePublished": "2018-09-07T14:00:00",
    "dateReserved": "2017-11-27T00:00:00",
    "dateUpdated": "2024-08-05T03:35:48.652Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2024-32078
Vulnerability from cvelistv5
Published
2024-04-24 15:40
Modified
2024-08-02 02:06
Summary
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Foliovision FV Flowplayer Video Player.This issue affects FV Flowplayer Video Player: from n/a through 7.5.44.7212.
Impacted products
Vendor Product Version
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-32078",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-04-29T19:08:34.777603Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-04T17:51:57.255Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T02:06:43.360Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "vdb-entry",
              "x_transferred"
            ],
            "url": "https://patchstack.com/database/vulnerability/fv-wordpress-flowplayer/wordpress-fv-player-plugin-7-5-44-7212-unvalidated-redirects-and-forwards-vulnerability?_s_id=cve"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://wordpress.org/plugins",
          "defaultStatus": "unaffected",
          "packageName": "fv-wordpress-flowplayer",
          "product": "FV Flowplayer Video Player",
          "vendor": "Foliovision",
          "versions": [
            {
              "changes": [
                {
                  "at": "7.5.45.7212",
                  "status": "unaffected"
                }
              ],
              "lessThanOrEqual": "7.5.44.7212",
              "status": "affected",
              "version": "n/a",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "user": "00000000-0000-4000-9000-000000000000",
          "value": "Byeongjun Jo (Patchstack Alliance)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027) vulnerability in Foliovision FV Flowplayer Video Player.\u003cp\u003eThis issue affects FV Flowplayer Video Player: from n/a through 7.5.44.7212.\u003c/p\u003e"
            }
          ],
          "value": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027) vulnerability in Foliovision FV Flowplayer Video Player.This issue affects FV Flowplayer Video Player: from n/a through 7.5.44.7212.\n\n"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-601",
              "description": "CWE-601 URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-04-24T15:40:22.022Z",
        "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "shortName": "Patchstack"
      },
      "references": [
        {
          "tags": [
            "vdb-entry"
          ],
          "url": "https://patchstack.com/database/vulnerability/fv-wordpress-flowplayer/wordpress-fv-player-plugin-7-5-44-7212-unvalidated-redirects-and-forwards-vulnerability?_s_id=cve"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Update to 7.5.45.7212 or a higher version."
            }
          ],
          "value": "Update to 7.5.45.7212 or a higher version."
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "WordPress FV Player plugin \u003c= 7.5.44.7212 - Unvalidated Redirects and Forwards vulnerability",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
    "assignerShortName": "Patchstack",
    "cveId": "CVE-2024-32078",
    "datePublished": "2024-04-24T15:40:22.022Z",
    "dateReserved": "2024-04-10T19:18:22.679Z",
    "dateUpdated": "2024-08-02T02:06:43.360Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2024-35631
Vulnerability from cvelistv5
Published
2024-06-03 10:30
Modified
2024-08-02 03:14
Summary
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Foliovision FV Flowplayer Video Player allows Reflected XSS.This issue affects FV Flowplayer Video Player: from n/a through 7.5.45.7212.
Impacted products
Vendor Product Version
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-35631",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-06-07T17:18:32.236344Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-07T17:19:16.514Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T03:14:53.520Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "vdb-entry",
              "x_transferred"
            ],
            "url": "https://patchstack.com/database/vulnerability/fv-wordpress-flowplayer/wordpress-fv-flowplayer-video-player-plugin-7-5-45-7212-cross-site-scripting-xss-vulnerability?_s_id=cve"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://wordpress.org/plugins",
          "defaultStatus": "unaffected",
          "packageName": "fv-wordpress-flowplayer",
          "product": "FV Flowplayer Video Player",
          "vendor": "Foliovision",
          "versions": [
            {
              "changes": [
                {
                  "at": "7.5.46.7212",
                  "status": "unaffected"
                }
              ],
              "lessThanOrEqual": "7.5.45.7212",
              "status": "affected",
              "version": "n/a",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "user": "00000000-0000-4000-9000-000000000000",
          "value": "Dimas Maulana (Patchstack Alliance)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in Foliovision FV Flowplayer Video Player allows Reflected XSS.\u003cp\u003eThis issue affects FV Flowplayer Video Player: from n/a through 7.5.45.7212.\u003c/p\u003e"
            }
          ],
          "value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in Foliovision FV Flowplayer Video Player allows Reflected XSS.This issue affects FV Flowplayer Video Player: from n/a through 7.5.45.7212."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-591",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-591 Reflected XSS"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-06-03T10:30:46.320Z",
        "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "shortName": "Patchstack"
      },
      "references": [
        {
          "tags": [
            "vdb-entry"
          ],
          "url": "https://patchstack.com/database/vulnerability/fv-wordpress-flowplayer/wordpress-fv-flowplayer-video-player-plugin-7-5-45-7212-cross-site-scripting-xss-vulnerability?_s_id=cve"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Update to 7.5.46.7212 or a higher version."
            }
          ],
          "value": "Update to 7.5.46.7212 or a higher version."
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "WordPress FV Flowplayer Video Player plugin \u003c= 7.5.45.7212 - Cross Site Scripting (XSS) vulnerability",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
    "assignerShortName": "Patchstack",
    "cveId": "CVE-2024-35631",
    "datePublished": "2024-06-03T10:30:46.320Z",
    "dateReserved": "2024-05-17T10:07:37.224Z",
    "dateUpdated": "2024-08-02T03:14:53.520Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}