 |
Home ▼ Bookkeeping
Online ▼ Security
Audits ▼
Managed
DNS ▼
About
Order
FAQ
Acceptable Use Policy
Dynamic DNS Clients
Configure Domains Dyanmic DNS Update Password Network
Monitor ▼
Enterprise Package
Advanced Package
Standard Package
Free Trial
FAQ
Price/Feature Summary
Order/Renew
Examples
Configure/Status Alert Profiles | ||
| CVE ID: | CVE-2018-6360 |
| Description: | mpv through 0.28.0 allows remote attackers to execute arbitrary code via a crafted web site, because it reads HTML documents containing VIDEO elements, and accepts arbitrary URLs in a src attribute without a protocol whitelist in player/lua/ytdl_hook.lua. For example, an av://lavfi:ladspa=file= URL signifies that the product should call dlopen on a shared object file located at an arbitrary local pathname. The issue exists because the product does not consider that youtube-dl can provide a potentially unsafe URL. |
| Test IDs: | 1.3.6.1.4.1.25623.1.0.704105 1.3.6.1.4.1.25623.1.1.10.2018.0130 |
| Cross References: |
Common Vulnerability Exposure (CVE) ID: CVE-2018-6360 Debian Security Information: DSA-4105 (Google Search) https://www.debian.org/security/2018/dsa-4105 https://security.gentoo.org/glsa/201805-05 https://github.com/mpv-player/mpv/commit/e6e6b0dcc7e9b0dbf35154a179b3dc1fcfcaff43 https://github.com/mpv-player/mpv/issues/5456 |