CVE-2017-20219

Vulnerability

Overview

Serviio PRO 1.8 (and earlier versions 1.7.1, 1.7.0, 1.6.1) contains a DOM-based cross-site scripting (XSS) vulnerability in the mediabrowser component. The application reads data from document.location and passes it directly to document.write() via the statement document.write(''); [1][3]. This lack of sanitization allows an attacker to inject arbitrary HTML and script code into the user's browser DOM.

Exploitation

An attacker can craft a malicious URL containing a payload in the fragment identifier or query string. For example, a request to /mediabrowser/#/browse/V_F?title=Folders&b=Home&b=Video&bid=0"> results in the injected script being written into the page [3]. No authentication is required to trigger the vulnerability, as the mediabrowser component is accessible without prior login. The attack is performed in the victim's browser context of the victim's browser session.

Impact

Successful exploitation allows an attacker to execute arbitrary HTML and JavaScript in the browser of a user visiting the crafted URL. This can lead to session hijacking, defacement, or theft of sensitive information displayed in the browser. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) Web Page Generation) and has a CVSS v3 base score of 6.1 (Medium) [4].

Mitigation

As of the latest available information, the vendor has not released a patched version for this vulnerability. Users are advised to restrict access to the Serviio web interface to trusted networks only and to avoid clicking on untrusted links that target the mediabrowser component. The vulnerability was publicly disclosed in 2017 and remains unpatched in the affected versions [1][2][4].