CVE-2017-14142
Description
Multiple cross-site scripting (XSS) vulnerabilities in Kaltura before 13.2.0 allow remote attackers to inject arbitrary web script or HTML via the (1) partnerId or (2) playerVersion parameter to server/admin_console/web/tools/bigRedButton.php; the (3) partnerId, (4) playerVersion, (5) secret, (6) entryId, (7) adminUiConfId, or (8) uiConfId parameter to server/admin_console/web/tools/bigRedButtonPtsPoc.php; the (9) streamUsername, (10) streamPassword, (11) streamRemoteId, (12) streamRemoteBackupId, or (13) entryId parameter to server/admin_console/web/tools/AkamaiBroadcaster.php; the (14) entryId parameter to server/admin_console/web/tools/XmlJWPlayer.php; or the (15) partnerId or (16) playerVersion parameter to server/alpha/web/lib/bigRedButtonPtsPocHlsjs.php.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Kaltura before 13.2.0 contains multiple reflected XSS flaws due to unsanitized user input reflected in server-side scripts.
Vulnerability
Multiple reflected cross-site scripting (XSS) vulnerabilities exist in Kaltura versions prior to 13.2.0. The affected endpoints include server/admin_console/web/tools/bigRedButton.php, server/admin_console/web/tools/bigRedButtonPtsPoc.php, server/admin_console/web/tools/AkamaiBroadcaster.php, server/admin_console/web/tools/XmlJWPlayer.php, and server/alpha/web/lib/bigRedButtonPtsPocHlsjs.php. Unsanitized user input from the query string parameters such as partnerId, playerVersion, secret, entryId, adminUiConfId, uiConfId, streamUsername, streamPassword, streamRemoteId, and streamRemoteBackupId is directly embedded in the HTML output without proper encoding or validation [1][2][3].
Exploitation
An attacker can craft a malicious URL containing JavaScript payloads in any of the listed parameters and trick a victim into clicking it. No authentication is required to trigger the XSS on the accessible admin console tools, though some endpoints may be accessible only to certain user roles. The attacker does not need direct write access to the server; social engineering is sufficient to deliver the crafted link [1].
Impact
Successful exploitation allows the attacker to execute arbitrary HTML and JavaScript in the context of the victim's browser session. This can lead to theft of session cookies, defacement, or redirection to malicious sites. Since some of the affected pages reside in the admin console, a successful attack could also allow the attacker to perform administrative actions on behalf of a logged-in administrator, leading to broader compromise of the Kaltura instance [1].
Mitigation
Kaltura 13.2.0 was released to fix these vulnerabilities by enforcing strict input validation using functions like safeGetInput() with appropriate regex patterns [1][2][3]. Users should upgrade to version 13.2.0 or later immediately. No official workaround has been provided for older versions. If upgrading is not possible, administrators should restrict access to the admin console tools and enforce a web application firewall (WAF) rules to block malicious query strings.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- telekomsecurity.github.io/assets/advisories/20170912_kaltura-advisory.txtnvdExploitThird Party Advisory
- www.securityfocus.com/bid/100976nvdThird Party AdvisoryVDB Entry
- github.com/kaltura/server/pull/6003/commits/7e00a578d6ba748f6d3bdc255a40a4a0a594e6f9nvdThird Party Advisory
- github.com/kaltura/server/pull/6003/commits/a63362aa87d668d5ebf4a89cdd5bb8b815ac7f70nvdThird Party Advisory
News mentions
0No linked articles in our index yet.