Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2018-6360
PUBLISHED
More InfoOfficial Page
Assigner-mitre
Assigner Org ID-8254265b-2729-46b6-b9e3-3dfca2d5bfca
View Known Exploited Vulnerability (KEV) details
Published At-28 Jan, 2018 | 02:00
Updated At-05 Aug, 2024 | 06:01
Rejected At-
▼CVE Numbering Authority (CNA)

mpv through 0.28.0 allows remote attackers to execute arbitrary code via a crafted web site, because it reads HTML documents containing VIDEO elements, and accepts arbitrary URLs in a src attribute without a protocol whitelist in player/lua/ytdl_hook.lua. For example, an av://lavfi:ladspa=file= URL signifies that the product should call dlopen on a shared object file located at an arbitrary local pathname. The issue exists because the product does not consider that youtube-dl can provide a potentially unsafe URL.

Affected Products
Vendor
n/a
Product
n/a
Versions
Affected
  • n/a
Problem Types
TypeCWE IDDescription
textN/An/a
Type: text
CWE ID: N/A
Description: n/a
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/mpv-player/mpv/commit/e6e6b0dcc7e9b0dbf35154a179b3dc1fcfcaff43
x_refsource_MISC
https://security.gentoo.org/glsa/201805-05
vendor-advisory
x_refsource_GENTOO
https://github.com/mpv-player/mpv/issues/5456
x_refsource_MISC
https://www.debian.org/security/2018/dsa-4105
vendor-advisory
x_refsource_DEBIAN
Hyperlink: https://github.com/mpv-player/mpv/commit/e6e6b0dcc7e9b0dbf35154a179b3dc1fcfcaff43
Resource:
x_refsource_MISC
Hyperlink: https://security.gentoo.org/glsa/201805-05
Resource:
vendor-advisory
x_refsource_GENTOO
Hyperlink: https://github.com/mpv-player/mpv/issues/5456
Resource:
x_refsource_MISC
Hyperlink: https://www.debian.org/security/2018/dsa-4105
Resource:
vendor-advisory
x_refsource_DEBIAN
▼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/mpv-player/mpv/commit/e6e6b0dcc7e9b0dbf35154a179b3dc1fcfcaff43
x_refsource_MISC
x_transferred
https://security.gentoo.org/glsa/201805-05
vendor-advisory
x_refsource_GENTOO
x_transferred
https://github.com/mpv-player/mpv/issues/5456
x_refsource_MISC
x_transferred
https://www.debian.org/security/2018/dsa-4105
vendor-advisory
x_refsource_DEBIAN
x_transferred
Hyperlink: https://github.com/mpv-player/mpv/commit/e6e6b0dcc7e9b0dbf35154a179b3dc1fcfcaff43
Resource:
x_refsource_MISC
x_transferred
Hyperlink: https://security.gentoo.org/glsa/201805-05
Resource:
vendor-advisory
x_refsource_GENTOO
x_transferred
Hyperlink: https://github.com/mpv-player/mpv/issues/5456
Resource:
x_refsource_MISC
x_transferred
Hyperlink: https://www.debian.org/security/2018/dsa-4105
Resource:
vendor-advisory
x_refsource_DEBIAN
x_transferred
Details not found