Vulnerability CVE-2013-7341 - CERT Civis.Net

Vulnerability Name:

CVE-2013-7341 (CCN-93815)

Assigned:

2014-03-17

Published:

2014-03-17

Updated:

2020-12-01

Summary:

Multiple cross-site scripting (XSS) vulnerabilities in Flowplayer Flash before 3.2.17, as used in Moodle through 2.3.11, 2.4.x before 2.4.9, 2.5.x before 2.5.5, and 2.6.x before 2.6.2, allow remote attackers to inject arbitrary web script or HTML by (1) providing a crafted playerId or (2) referencing an external domain, a related issue to CVE-2013-7342.

CVSS v3 Severity:

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): Low Availibility (A): None

CVSS v2 Severity:

4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.7 Low (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

4.3 Medium (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

Vulnerability Type:

Vulnerability Consequences:

Cross-Site Scripting

References:

Source: MITRE
Type: CNA
CVE-2013-7341

Source: CCN
Type: Flowplayer flash Web site
Flowplayer - Flash Video Player for the Web : Flowplayer

Source: CONFIRM
Type: UNKNOWN
http://flash.flowplayer.org/documentation/version-history.html

Source: CONFIRM
Type: UNKNOWN
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-43344

Source: CCN
Type: OSS Security, Mon, 17 Mar 2014 13:00:19 +0800
Moodle security notifications public

Source: MLIST
Type: UNKNOWN
[oss-security] 20140317 Moodle security notifications public

Source: CCN
Type: BID-66607
Flowplayer Flash CVE-2013-7341 Multiple Cross Site Scripting Vulnerabilities

Source: XF
Type: UNKNOWN
flowplayer-cve20137341-xss(93815)

Source: CONFIRM
Type: UNKNOWN
https://github.com/flowplayer/flash/issues/121

Source: CONFIRM
Type: UNKNOWN
https://moodle.org/mod/forum/discuss.php?d=256420

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2013-7341

Vulnerable Configuration:

Configuration 1:

cpe:/a:moodle:moodle:2.0.3:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.0.4:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.0.5:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.0.6:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.0.7:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.1.9:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.2.0:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.2.1:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.2.10:*:*:*:*:*:*:*

OR cpe:/a:flowplayer:flowplayer_flash:3.2.12:*:*:*:*:*:*:*

OR cpe:/a:flowplayer:flowplayer_flash:3.2.11:*:*:*:*:*:*:*

OR cpe:/a:flowplayer:flowplayer_flash:3.2.10:*:*:*:*:*:*:*

OR cpe:/a:flowplayer:flowplayer_flash:3.2.9:*:*:*:*:*:*:*

OR cpe:/a:flowplayer:flowplayer_flash:3.1.0:*:*:*:*:*:*:*

OR cpe:/a:flowplayer:flowplayer_flash:3.1.4:*:*:*:*:*:*:*

OR cpe:/a:flowplayer:flowplayer_flash:3.0.6:*:*:*:*:*:*:*

OR cpe:/a:flowplayer:flowplayer_flash:3.0.5:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.4.0:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.4.1:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.4.2:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.4.3:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.3.6:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.3.7:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.3.8:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.3.9:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.1.10:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.1.2:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.1.3:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.1.4:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.2.5:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.2.6:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.2.7:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.2.8:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.2.9:*:*:*:*:*:*:*

OR cpe:/a:flowplayer:flowplayer_flash:3.2.4:*:*:*:*:*:*:*

OR cpe:/a:flowplayer:flowplayer_flash:3.2.3:*:*:*:*:*:*:*

OR cpe:/a:flowplayer:flowplayer_flash:3.2.2:*:*:*:*:*:*:*

OR cpe:/a:flowplayer:flowplayer_flash:3.2.1:*:*:*:*:*:*:*

OR cpe:/a:flowplayer:flowplayer_flash:3.0.0:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.6.0:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.6.1:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.5.0:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.3.0:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.3.1:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.3.10:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:*:*:*:*:*:*:*:* (Version <= 2.3.11)

OR cpe:/a:moodle:moodle:2.0.1:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.0.8:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.1.0:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.1.6:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.1.8:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.2.11:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.2.3:*:*:*:*:*:*:*

OR cpe:/a:flowplayer:flowplayer_flash:*:*:*:*:*:*:*:* (Version <= 3.2.16)

OR cpe:/a:flowplayer:flowplayer_flash:3.2.14:*:*:*:*:*:*:*

OR cpe:/a:flowplayer:flowplayer_flash:3.2.7:*:*:*:*:*:*:*

OR cpe:/a:flowplayer:flowplayer_flash:3.2.5:*:*:*:*:*:*:*

OR cpe:/a:flowplayer:flowplayer_flash:3.2.0:*:*:*:*:*:*:*

OR cpe:/a:flowplayer:flowplayer_flash:3.1.3:*:*:*:*:*:*:*

OR cpe:/a:flowplayer:flowplayer_flash:3.1.1:*:*:*:*:*:*:*

OR cpe:/a:flowplayer:flowplayer_flash:3.0.4:*:*:*:*:*:*:*

OR cpe:/a:flowplayer:flowplayer_flash:3.0.2:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.5.2:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.5.4:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.4.4:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.4.6:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.4.8:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.3.2:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.3.4:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.0.0:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.0.2:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.0.9:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.1.1:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.1.5:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.1.7:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.2.2:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.2.4:*:*:*:*:*:*:*

OR cpe:/a:flowplayer:flowplayer_flash:3.2.15:*:*:*:*:*:*:*

OR cpe:/a:flowplayer:flowplayer_flash:3.2.13:*:*:*:*:*:*:*

OR cpe:/a:flowplayer:flowplayer_flash:3.2.8:*:*:*:*:*:*:*

OR cpe:/a:flowplayer:flowplayer_flash:3.2.6:*:*:*:*:*:*:*

OR cpe:/a:flowplayer:flowplayer_flash:3.1.5:*:*:*:*:*:*:*

OR cpe:/a:flowplayer:flowplayer_flash:3.1.2:*:*:*:*:*:*:*

OR cpe:/a:flowplayer:flowplayer_flash:3.0.3:*:*:*:*:*:*:*

OR cpe:/a:flowplayer:flowplayer_flash:3.0.1:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.5.1:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.5.3:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.4.5:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.4.7:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.3.3:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.3.5:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:com.ubuntu.bionic:def:201373410000000	V	CVE-2013-7341 on Ubuntu 18.04 LTS (bionic) - medium.	2014-03-24
oval:com.ubuntu.artful:def:20137341000	V	CVE-2013-7341 on Ubuntu 17.10 (artful) - medium.	2014-03-24
oval:com.ubuntu.trusty:def:20137341000	V	CVE-2013-7341 on Ubuntu 14.04 LTS (trusty) - medium.	2014-03-24
oval:com.ubuntu.xenial:def:201373410000000	V	CVE-2013-7341 on Ubuntu 16.04 LTS (xenial) - medium.	2014-03-24
oval:com.ubuntu.bionic:def:20137341000	V	CVE-2013-7341 on Ubuntu 18.04 LTS (bionic) - medium.	2014-03-24
oval:com.ubuntu.xenial:def:20137341000	V	CVE-2013-7341 on Ubuntu 16.04 LTS (xenial) - medium.	2014-03-24
oval:com.ubuntu.disco:def:201373410000000	V	CVE-2013-7341 on Ubuntu 19.04 (disco) - medium.	2014-03-24
oval:com.ubuntu.cosmic:def:20137341000	V	CVE-2013-7341 on Ubuntu 18.10 (cosmic) - medium.	2014-03-24
oval:com.ubuntu.cosmic:def:201373410000000	V	CVE-2013-7341 on Ubuntu 18.10 (cosmic) - medium.	2014-03-24
oval:com.ubuntu.precise:def:20137341000	V	CVE-2013-7341 on Ubuntu 12.04 LTS (precise) - medium.	2014-03-24