Advisory:

CSRF in JW Player for Flash & HTML5 Video 2.1.3 permits deletion of players

Vulnerability

Last revised:

An attacker can cause an admin user to remove players if they can convince them to visit an URL of their choice.

Current state: Reported

CVSS Summary

CVSS base scores for this vulnerability
Score 4.3 Medium
Vector Network
Complexity Medium
Authentication None
Confidentiality None
Integrity None
Availability Partial
You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Proof of concept

Log in as admin, create a new player, visit this URL (changing localhost, and changing player_id to the ID of the player you just created):

http://localhost/wp-admin/admin.php?page=jwp6_menu&player_id=1&action=delete

Advisory timeline

  • 2014-04-08: Discovered
  • 2014-04-10: Reported
  • 2014-06-10: Report not acknowledged, no fix announced. Published.

Mitigation/further actions

Disable the plugin until a fix is available.