Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

ubuntu логотип

CVE-2018-6360

Опубликовано: 28 янв. 2018
Источник: ubuntu
Приоритет: medium
EPSS Низкий
CVSS2: 6.8
CVSS3: 8.8

Описание

mpv through 0.28.0 allows remote attackers to execute arbitrary code via a crafted web site, because it reads HTML documents containing VIDEO elements, and accepts arbitrary URLs in a src attribute without a protocol whitelist in player/lua/ytdl_hook.lua. For example, an av://lavfi:ladspa=file= URL signifies that the product should call dlopen on a shared object file located at an arbitrary local pathname. The issue exists because the product does not consider that youtube-dl can provide a potentially unsafe URL.

РелизСтатусПримечание
artful

ignored

end of life
bionic

released

0.27.2-1ubuntu1
cosmic

released

0.27.2-1ubuntu1
devel

released

0.27.2-1ubuntu1
disco

released

0.27.2-1ubuntu1
eoan

released

0.27.2-1ubuntu1
esm-apps/bionic

released

0.27.2-1ubuntu1
esm-apps/focal

released

0.27.2-1ubuntu1
esm-apps/jammy

released

0.27.2-1ubuntu1
esm-apps/noble

released

0.27.2-1ubuntu1

Показывать по

Ссылки на источники

EPSS

Процентиль: 68%
0.00564
Низкий

6.8 Medium

CVSS2

8.8 High

CVSS3

Связанные уязвимости

nvd логотип

CVE-2018-6360

CVSS3: 8.8
nvd
около 8 лет назад

mpv through 0.28.0 allows remote attackers to execute arbitrary code via a crafted web site, because it reads HTML documents containing VIDEO elements, and accepts arbitrary URLs in a src attribute without a protocol whitelist in player/lua/ytdl_hook.lua. For example, an av://lavfi:ladspa=file= URL signifies that the product should call dlopen on a shared object file located at an arbitrary local pathname. The issue exists because the product does not consider that youtube-dl can provide a potentially unsafe URL.

debian логотип

CVE-2018-6360

CVSS3: 8.8
debian
около 8 лет назад

mpv through 0.28.0 allows remote attackers to execute arbitrary code v ...

suse-cvrf логотип

openSUSE-SU-2018:0479-1

suse-cvrf
почти 8 лет назад

Security update for mpv

github логотип

GHSA-rj86-j8mq-h692

CVSS3: 8.8
github
больше 3 лет назад

mpv through 0.28.0 allows remote attackers to execute arbitrary code via a crafted web site, because it reads HTML documents containing VIDEO elements, and accepts arbitrary URLs in a src attribute without a protocol whitelist in player/lua/ytdl_hook.lua. For example, an av://lavfi:ladspa=file= URL signifies that the product should call dlopen on a shared object file located at an arbitrary local pathname. The issue exists because the product does not consider that youtube-dl can provide a potentially unsafe URL.

EPSS

Процентиль: 68%
0.00564
Низкий

6.8 Medium

CVSS2

8.8 High

CVSS3