VYPR
Medium severity6.1OSV Advisory· Published Sep 19, 2017· Updated Jun 17, 2026

CVE-2017-14142

CVE-2017-14142

Description

Multiple cross-site scripting (XSS) vulnerabilities in Kaltura before 13.2.0 allow remote attackers to inject arbitrary web script or HTML via the (1) partnerId or (2) playerVersion parameter to server/admin_console/web/tools/bigRedButton.php; the (3) partnerId, (4) playerVersion, (5) secret, (6) entryId, (7) adminUiConfId, or (8) uiConfId parameter to server/admin_console/web/tools/bigRedButtonPtsPoc.php; the (9) streamUsername, (10) streamPassword, (11) streamRemoteId, (12) streamRemoteBackupId, or (13) entryId parameter to server/admin_console/web/tools/AkamaiBroadcaster.php; the (14) entryId parameter to server/admin_console/web/tools/XmlJWPlayer.php; or the (15) partnerId or (16) playerVersion parameter to server/alpha/web/lib/bigRedButtonPtsPocHlsjs.php.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

3
  • Kaltura/ServerOSV2 versions
    IX-9.0.0-rel, IX-9.11.0-rel, IX-9.12.0-rel, …+ 1 more
    • (no CPE)range: IX-9.0.0-rel, IX-9.11.0-rel, IX-9.12.0-rel, …
    • cpe:2.3:a:kaltura:kaltura_server:*:*:*:*:*:*:*:*range: <=mercury-13.1.0
  • Kaltura/Kalturallm-fuzzy
    Range: <13.2.0

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.