cnvd - cnvd-2017-36361

CNVD-2017-36361

Vulnerability from cnvd - Published: 2017-12-06

Title

Logitech Media Server跨站脚本漏洞（CNVD-2017-36361）

Description

Logitech Media Server是美国罗技（Logitech）公司的一款音频播放软件。 Logitech Media Server 7.9.0版本中存在跨站脚本漏洞。远程攻击者可借助‘favorite’标签利用该漏洞注入任意的Web脚本或HTML。

Severity

低

Formal description

厂商尚未提供漏洞修复方案，请关注厂商主页更新： www.logitech.com

Reference

https://nvd.nist.gov/vuln/detail/CVE-2017-16567 https://www.exploit-db.com/exploits/43122/

Impacted products

Name
Logitech Media Server 7.9.0

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2017-16567"
    }
  },
  "description": "Logitech Media Server\u662f\u7f8e\u56fd\u7f57\u6280\uff08Logitech\uff09\u516c\u53f8\u7684\u4e00\u6b3e\u97f3\u9891\u64ad\u653e\u8f6f\u4ef6\u3002\r\n\r\nLogitech Media Server 7.9.0\u7248\u672c\u4e2d\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u501f\u52a9\u2018favorite\u2019\u6807\u7b7e\u5229\u7528\u8be5\u6f0f\u6d1e\u6ce8\u5165\u4efb\u610f\u7684Web\u811a\u672c\u6216HTML\u3002",
  "discovererName": "Dewank Pant",
  "formalWay": "\u5382\u5546\u5c1a\u672a\u63d0\u4f9b\u6f0f\u6d1e\u4fee\u590d\u65b9\u6848\uff0c\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\u66f4\u65b0\uff1a\r\nwww.logitech.com",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2017-36361",
  "openTime": "2017-12-06",
  "products": {
    "product": "Logitech Media Server 7.9.0"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2017-16567\r\nhttps://www.exploit-db.com/exploits/43122/",
  "serverity": "\u4f4e",
  "submitTime": "2017-11-10",
  "title": "Logitech Media Server\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff08CNVD-2017-36361\uff09"
}

CVE-2017-16567 (GCVE-0-2017-16567)

Vulnerability from cvelistv5 – Published: 2017-11-09 19:00 – Updated: 2025-02-04 21:09

Summary

Persistent Cross-Site Scripting (XSS) vulnerability in Logitech Media Server 7.9.0, affecting the "Favorites" feature. This vulnerability allows remote attackers to inject and permanently store malicious JavaScript payloads, which are executed when users access the affected functionality. Exploitation of this vulnerability can lead to Session Hijacking and Credential Theft, Execution of unauthorized actions on behalf of users, and Exfiltration of sensitive data. This vulnerability presents a potential risk for widespread exploitation in connected IoT environments.

Severity ?

No CVSS data available.

CWE

Assigner

mitre

References

URL

Tags

https://www.exploit-db.com/exploits/43122/

exploit

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T20:27:03.950Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "43122",
            "tags": [
              "exploit",
              "x_refsource_EXPLOIT-DB",
              "x_transferred"
            ],
            "url": "https://www.exploit-db.com/exploits/43122/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2017-11-03T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "Persistent Cross-Site Scripting (XSS) vulnerability in Logitech Media Server 7.9.0, affecting the \"Favorites\" feature. This vulnerability allows remote attackers to inject and permanently store malicious JavaScript payloads, which are executed when users access the affected functionality. Exploitation of this vulnerability can lead to Session Hijacking and Credential Theft, Execution of unauthorized actions on behalf of users, and Exfiltration of sensitive data. This vulnerability presents a potential risk for widespread exploitation in connected IoT environments."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-02-04T21:09:31.899Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "name": "43122",
          "tags": [
            "exploit"
          ],
          "url": "https://www.exploit-db.com/exploits/43122/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2017-16567",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Cross-site scripting (XSS) vulnerability in Logitech Media Server 7.9.0 allows remote attackers to inject arbitrary web script or HTML via a \"favorite.\""
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "43122",
              "refsource": "EXPLOIT-DB",
              "url": "https://www.exploit-db.com/exploits/43122/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2017-16567",
    "datePublished": "2017-11-09T19:00:00.000Z",
    "dateReserved": "2017-11-06T00:00:00.000Z",
    "dateUpdated": "2025-02-04T21:09:31.899Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2017-36361

CVE-2017-16567 (GCVE-0-2017-16567)

Tags

Sightings

Nomenclature