VYPR
Get started
← All advisories
Unrated severityNVD Advisory· Published Aug 15, 2013· Updated Apr 29, 2026

CVE-2013-1942

CVE-2013-1942

Description

Multiple cross-site scripting (XSS) vulnerabilities in actionscript/Jplayer.as in the Flash SWF component (jplayer.swf) in jPlayer before 2.2.20, as used in ownCloud Server before 5.0.4 and other products, allow remote attackers to inject arbitrary web script or HTML via the (1) jQuery or (2) id parameters, as demonstrated using document.write in the jQuery parameter, a different vulnerability than CVE-2013-2022 and CVE-2013-2023.

Affected products

112
  • Happyworm/Jplayer73 versions
    cpe:2.3:a:happyworm:jplayer:*:*:*:*:*:*:*:*+ 72 more
    • cpe:2.3:a:happyworm:jplayer:*:*:*:*:*:*:*:*range: <=2.2.19
    • cpe:2.3:a:happyworm:jplayer:0.2.1:beta:*:*:*:*:*:*
    • cpe:2.3:a:happyworm:jplayer:0.2.2:beta:*:*:*:*:*:*
    • cpe:2.3:a:happyworm:jplayer:0.2.3:beta:*:*:*:*:*:*
    • cpe:2.3:a:happyworm:jplayer:0.2.4:beta:*:*:*:*:*:*
    • cpe:2.3:a:happyworm:jplayer:0.2.5:beta:*:*:*:*:*:*
    • cpe:2.3:a:happyworm:jplayer:1.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:happyworm:jplayer:1.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:happyworm:jplayer:1.1.1:*:*:*:*:*:*:*
    • cpe:2.3:a:happyworm:jplayer:1.2.0:*:*:*:*:*:*:*
    • cpe:2.3:a:happyworm:jplayer:2.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:happyworm:jplayer:2.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:happyworm:jplayer:2.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:happyworm:jplayer:2.0.3:*:*:*:*:*:*:*
    • cpe:2.3:a:happyworm:jplayer:2.0.4:*:*:*:*:*:*:*
    • cpe:2.3:a:happyworm:jplayer:2.0.5:*:*:*:*:*:*:*
    • cpe:2.3:a:happyworm:jplayer:2.0.6:*:*:*:*:*:*:*
    • cpe:2.3:a:happyworm:jplayer:2.0.7:*:*:*:*:*:*:*
    • cpe:2.3:a:happyworm:jplayer:2.0.8:*:*:*:*:*:*:*
    • cpe:2.3:a:happyworm:jplayer:2.0.9:*:*:*:*:*:*:*
    • cpe:2.3:a:happyworm:jplayer:2.0.10:*:*:*:*:*:*:*
    • cpe:2.3:a:happyworm:jplayer:2.0.11:*:*:*:*:*:*:*
    • cpe:2.3:a:happyworm:jplayer:2.0.12:*:*:*:*:*:*:*
    • cpe:2.3:a:happyworm:jplayer:2.0.13:*:*:*:*:*:*:*
    • cpe:2.3:a:happyworm:jplayer:2.0.14:*:*:*:*:*:*:*
    • cpe:2.3:a:happyworm:jplayer:2.0.15:*:*:*:*:*:*:*
    • cpe:2.3:a:happyworm:jplayer:2.0.16:*:*:*:*:*:*:*
    • cpe:2.3:a:happyworm:jplayer:2.0.17:*:*:*:*:*:*:*
    • cpe:2.3:a:happyworm:jplayer:2.0.18:*:*:*:*:*:*:*
    • cpe:2.3:a:happyworm:jplayer:2.0.19:*:*:*:*:*:*:*
    • cpe:2.3:a:happyworm:jplayer:2.0.20:*:*:*:*:*:*:*
    • cpe:2.3:a:happyworm:jplayer:2.0.21:*:*:*:*:*:*:*
    • cpe:2.3:a:happyworm:jplayer:2.0.22:*:*:*:*:*:*:*
    • cpe:2.3:a:happyworm:jplayer:2.0.23:*:*:*:*:*:*:*
    • cpe:2.3:a:happyworm:jplayer:2.0.24:*:*:*:*:*:*:*
    • cpe:2.3:a:happyworm:jplayer:2.0.25:*:*:*:*:*:*:*
    • cpe:2.3:a:happyworm:jplayer:2.0.26:*:*:*:*:*:*:*
    • cpe:2.3:a:happyworm:jplayer:2.0.27:*:*:*:*:*:*:*
    • cpe:2.3:a:happyworm:jplayer:2.0.28:*:*:*:*:*:*:*
    • cpe:2.3:a:happyworm:jplayer:2.0.29:*:*:*:*:*:*:*
    • cpe:2.3:a:happyworm:jplayer:2.0.30:*:*:*:*:*:*:*
    • cpe:2.3:a:happyworm:jplayer:2.0.31:*:*:*:*:*:*:*
    • cpe:2.3:a:happyworm:jplayer:2.0.32:*:*:*:*:*:*:*
    • cpe:2.3:a:happyworm:jplayer:2.0.33:*:*:*:*:*:*:*
    • cpe:2.3:a:happyworm:jplayer:2.0.34:*:*:*:*:*:*:*
    • cpe:2.3:a:happyworm:jplayer:2.0.35:*:*:*:*:*:*:*
    • cpe:2.3:a:happyworm:jplayer:2.0.36:*:*:*:*:*:*:*
    • cpe:2.3:a:happyworm:jplayer:2.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:happyworm:jplayer:2.1.1:*:*:*:*:*:*:*
    • cpe:2.3:a:happyworm:jplayer:2.1.2:*:*:*:*:*:*:*
    • cpe:2.3:a:happyworm:jplayer:2.1.3:*:*:*:*:*:*:*
    • cpe:2.3:a:happyworm:jplayer:2.1.4:*:*:*:*:*:*:*
    • cpe:2.3:a:happyworm:jplayer:2.1.5:*:*:*:*:*:*:*
    • cpe:2.3:a:happyworm:jplayer:2.1.6:*:*:*:*:*:*:*
    • cpe:2.3:a:happyworm:jplayer:2.2.0:*:*:*:*:*:*:*
    • cpe:2.3:a:happyworm:jplayer:2.2.1:*:*:*:*:*:*:*
    • cpe:2.3:a:happyworm:jplayer:2.2.2:*:*:*:*:*:*:*
    • cpe:2.3:a:happyworm:jplayer:2.2.3:*:*:*:*:*:*:*
    • cpe:2.3:a:happyworm:jplayer:2.2.4:*:*:*:*:*:*:*
    • cpe:2.3:a:happyworm:jplayer:2.2.5:*:*:*:*:*:*:*
    • cpe:2.3:a:happyworm:jplayer:2.2.6:*:*:*:*:*:*:*
    • cpe:2.3:a:happyworm:jplayer:2.2.7:*:*:*:*:*:*:*
    • cpe:2.3:a:happyworm:jplayer:2.2.8:*:*:*:*:*:*:*
    • cpe:2.3:a:happyworm:jplayer:2.2.9:*:*:*:*:*:*:*
    • cpe:2.3:a:happyworm:jplayer:2.2.10:*:*:*:*:*:*:*
    • cpe:2.3:a:happyworm:jplayer:2.2.11:*:*:*:*:*:*:*
    • cpe:2.3:a:happyworm:jplayer:2.2.12:*:*:*:*:*:*:*
    • cpe:2.3:a:happyworm:jplayer:2.2.13:*:*:*:*:*:*:*
    • cpe:2.3:a:happyworm:jplayer:2.2.14:*:*:*:*:*:*:*
    • cpe:2.3:a:happyworm:jplayer:2.2.15:*:*:*:*:*:*:*
    • cpe:2.3:a:happyworm:jplayer:2.2.16:*:*:*:*:*:*:*
    • cpe:2.3:a:happyworm:jplayer:2.2.17:*:*:*:*:*:*:*
    • cpe:2.3:a:happyworm:jplayer:2.2.18:*:*:*:*:*:*:*
  • OwnCloud/Owncloud
    cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*
    Range: <=5.0.3
  • OwnCloud/Owncloud Server38 versions
    cpe:2.3:a:owncloud:owncloud_server:3.0.0:*:*:*:*:*:*:*+ 37 more
    • cpe:2.3:a:owncloud:owncloud_server:3.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:owncloud:owncloud_server:3.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:owncloud:owncloud_server:3.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:owncloud:owncloud_server:3.0.3:*:*:*:*:*:*:*
    • cpe:2.3:a:owncloud:owncloud_server:4.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:owncloud:owncloud_server:4.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:owncloud:owncloud_server:4.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:owncloud:owncloud_server:4.0.3:*:*:*:*:*:*:*
    • cpe:2.3:a:owncloud:owncloud_server:4.0.4:*:*:*:*:*:*:*
    • cpe:2.3:a:owncloud:owncloud_server:4.0.5:*:*:*:*:*:*:*
    • cpe:2.3:a:owncloud:owncloud_server:4.0.6:*:*:*:*:*:*:*
    • cpe:2.3:a:owncloud:owncloud_server:4.0.7:*:*:*:*:*:*:*
    • cpe:2.3:a:owncloud:owncloud_server:4.0.8:*:*:*:*:*:*:*
    • cpe:2.3:a:owncloud:owncloud_server:4.0.9:*:*:*:*:*:*:*
    • cpe:2.3:a:owncloud:owncloud_server:4.0.10:*:*:*:*:*:*:*
    • cpe:2.3:a:owncloud:owncloud_server:4.0.11:*:*:*:*:*:*:*
    • cpe:2.3:a:owncloud:owncloud_server:4.0.12:*:*:*:*:*:*:*
    • cpe:2.3:a:owncloud:owncloud_server:4.0.13:*:*:*:*:*:*:*
    • cpe:2.3:a:owncloud:owncloud_server:4.0.14:*:*:*:*:*:*:*
    • cpe:2.3:a:owncloud:owncloud_server:4.0.15:*:*:*:*:*:*:*
    • cpe:2.3:a:owncloud:owncloud_server:4.0.16:*:*:*:*:*:*:*
    • cpe:2.3:a:owncloud:owncloud_server:4.5.0:*:*:*:*:*:*:*
    • cpe:2.3:a:owncloud:owncloud_server:4.5.1:*:*:*:*:*:*:*
    • cpe:2.3:a:owncloud:owncloud_server:4.5.2:*:*:*:*:*:*:*
    • cpe:2.3:a:owncloud:owncloud_server:4.5.3:*:*:*:*:*:*:*
    • cpe:2.3:a:owncloud:owncloud_server:4.5.4:*:*:*:*:*:*:*
    • cpe:2.3:a:owncloud:owncloud_server:4.5.5:*:*:*:*:*:*:*
    • cpe:2.3:a:owncloud:owncloud_server:4.5.6:*:*:*:*:*:*:*
    • cpe:2.3:a:owncloud:owncloud_server:4.5.7:*:*:*:*:*:*:*
    • cpe:2.3:a:owncloud:owncloud_server:4.5.8:*:*:*:*:*:*:*
    • cpe:2.3:a:owncloud:owncloud_server:4.5.9:*:*:*:*:*:*:*
    • cpe:2.3:a:owncloud:owncloud_server:4.5.10:*:*:*:*:*:*:*
    • cpe:2.3:a:owncloud:owncloud_server:4.5.11:*:*:*:*:*:*:*
    • cpe:2.3:a:owncloud:owncloud_server:4.5.12:*:*:*:*:*:*:*
    • cpe:2.3:a:owncloud:owncloud_server:4.5.13:*:*:*:*:*:*:*
    • cpe:2.3:a:owncloud:owncloud_server:5.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:owncloud:owncloud_server:5.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:owncloud:owncloud_server:5.0.2:*:*:*:*:*:*:*

Patches

1
e8ca190f7f97

Security Fix of Flash SWF that had enabled cookie theft

https://github.com/happyworm/jPlayerHappywormMar 21, 2013via nvd-ref
commit
4 files changed · +11 11
  • actionscript/happyworm/jPlayer/JplayerStatus.as+2 2 modified
    @@ -8,13 +8,13 @@
  *  - http://www.gnu.org/copyleft/gpl.html
  *
  * Author: Mark J Panaghiston
- * Date: 29th January 2013
+ * Date: 21st March 2013
  */
 
 package happyworm.jPlayer {
 	public class JplayerStatus {
 
-		public static const VERSION:String = "2.2.19"; // The version of the Flash jPlayer entity.
+		public static const VERSION:String = "2.2.20"; // The version of the Flash jPlayer entity.
 
 		public var volume:Number = 0.5; // Not affected by reset()
 		public var muted:Boolean = false; // Not affected by reset()
  • actionscript/Jplayer.as+5 5 modified
    @@ -8,8 +8,8 @@
  *  - http://www.gnu.org/copyleft/gpl.html
  *
  * Author: Mark J Panaghiston
- * Version: 2.2.19
- * Date: 29th January 2013
+ * Version: 2.2.20
+ * Date: 21st March 2013
  *
  * FlashVars expected: (AS3 property of: loaderInfo.parameters)
  *	id: 	(URL Encoded: String) Id of jPlayer instance
@@ -70,7 +70,7 @@ package {
 		private var isVideo:Boolean = false;
 
 		private var securityIssue:Boolean = false; // When SWF parameters contain illegal characters
-		private var directAccess:Boolean = false; // When SWF visited directly with no parameters
+		private var directAccess:Boolean = false; // When SWF visited directly with no parameters (or when security issue detected)
 
 		private var txLog:TextField;
 		private var debug:Boolean = false; // Set debug to false for release compile!
@@ -233,12 +233,12 @@ package {
 				}
 				i++;
 			}
-			if(i === 0) {
+			if(i === 0 || securityIssue) {
 				directAccess = true;
 			}
 		}
 		private function illegalChar(s:String):Boolean {
-			var illegals:String = "' \" ( ) { } * + /";
+			var illegals:String = "' \" ( ) { } * + / \\ < > = document";
 			if(Boolean(s)) { // Otherwise exception if parameter null.
 				for each (var illegal:String in illegals.split(' ')) {
 					if(s.indexOf(illegal) >= 0) {
  • jquery.jplayer/Jplayer.swf+0 0 modified
  • jquery.jplayer/jquery.jplayer.js+4 4 modified
    @@ -8,8 +8,8 @@
  *  - http://www.gnu.org/copyleft/gpl.html
  *
  * Author: Mark J Panaghiston
- * Version: 2.2.19
- * Date: 29th January 2013
+ * Version: 2.2.20
+ * Date: 21st March 2013
  */
 
 /* Code verified using http://www.jshint.com/ */
@@ -454,8 +454,8 @@
 	$.jPlayer.prototype = {
 		count: 0, // Static Variable: Change it via prototype.
 		version: { // Static Object
-			script: "2.2.19",
-			needFlash: "2.2.19",
+			script: "2.2.20",
+			needFlash: "2.2.20",
 			flash: "unknown"
 		},
 		options: { // Instanced in $.jPlayer() constructor

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

8

News mentions

0

No linked articles in our index yet.