Search
Find a vulnerability
Search criteria
2 vulnerabilities by popcorn_time_project
CVE-2022-25229 (GCVE-0-2022-25229)
Vulnerability from nvd – Published: 2022-05-20 11:01 – Updated: 2024-08-03 04:36
VLAI
EPSS
VEX
Summary
Popcorn Time 0.4.7 has a Stored XSS in the 'Movies API Server(s)' field via the 'settings' page. The 'nodeIntegration' configuration is set to on which allows the 'webpage' to use 'NodeJs' features, an attacker can leverage this to run OS commands.
Severity
No CVSS data available.
CWE
- XSS to RCE
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://fluidattacks.com/advisories/bowie/ | x_refsource_MISC |
| https://github.com/popcorn-official/popcorn-deskt… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | Popcorn Time |
Affected:
0.4.7
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:36:06.674Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://fluidattacks.com/advisories/bowie/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/popcorn-official/popcorn-desktop/issues/2491"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Popcorn Time",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "0.4.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Popcorn Time 0.4.7 has a Stored XSS in the \u0027Movies API Server(s)\u0027 field via the \u0027settings\u0027 page. The \u0027nodeIntegration\u0027 configuration is set to on which allows the \u0027webpage\u0027 to use \u0027NodeJs\u0027 features, an attacker can leverage this to run OS commands."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "XSS to RCE",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-20T20:13:48.000Z",
"orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"shortName": "Fluid Attacks"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://fluidattacks.com/advisories/bowie/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/popcorn-official/popcorn-desktop/issues/2491"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "help@fluidattacks.com",
"ID": "CVE-2022-25229",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Popcorn Time",
"version": {
"version_data": [
{
"version_value": "0.4.7"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Popcorn Time 0.4.7 has a Stored XSS in the \u0027Movies API Server(s)\u0027 field via the \u0027settings\u0027 page. The \u0027nodeIntegration\u0027 configuration is set to on which allows the \u0027webpage\u0027 to use \u0027NodeJs\u0027 features, an attacker can leverage this to run OS commands."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "XSS to RCE"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://fluidattacks.com/advisories/bowie/",
"refsource": "MISC",
"url": "https://fluidattacks.com/advisories/bowie/"
},
{
"name": "https://github.com/popcorn-official/popcorn-desktop/issues/2491",
"refsource": "MISC",
"url": "https://github.com/popcorn-official/popcorn-desktop/issues/2491"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"assignerShortName": "Fluid Attacks",
"cveId": "CVE-2022-25229",
"datePublished": "2022-05-20T11:01:18.000Z",
"dateReserved": "2022-02-15T00:00:00.000Z",
"dateUpdated": "2024-08-03T04:36:06.674Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-25229 (GCVE-0-2022-25229)
Vulnerability from cvelistv5 – Published: 2022-05-20 11:01 – Updated: 2024-08-03 04:36
VLAI
EPSS
VEX
Summary
Popcorn Time 0.4.7 has a Stored XSS in the 'Movies API Server(s)' field via the 'settings' page. The 'nodeIntegration' configuration is set to on which allows the 'webpage' to use 'NodeJs' features, an attacker can leverage this to run OS commands.
Severity
No CVSS data available.
CWE
- XSS to RCE
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://fluidattacks.com/advisories/bowie/ | x_refsource_MISC |
| https://github.com/popcorn-official/popcorn-deskt… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | Popcorn Time |
Affected:
0.4.7
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:36:06.674Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://fluidattacks.com/advisories/bowie/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/popcorn-official/popcorn-desktop/issues/2491"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Popcorn Time",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "0.4.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Popcorn Time 0.4.7 has a Stored XSS in the \u0027Movies API Server(s)\u0027 field via the \u0027settings\u0027 page. The \u0027nodeIntegration\u0027 configuration is set to on which allows the \u0027webpage\u0027 to use \u0027NodeJs\u0027 features, an attacker can leverage this to run OS commands."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "XSS to RCE",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-20T20:13:48.000Z",
"orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"shortName": "Fluid Attacks"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://fluidattacks.com/advisories/bowie/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/popcorn-official/popcorn-desktop/issues/2491"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "help@fluidattacks.com",
"ID": "CVE-2022-25229",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Popcorn Time",
"version": {
"version_data": [
{
"version_value": "0.4.7"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Popcorn Time 0.4.7 has a Stored XSS in the \u0027Movies API Server(s)\u0027 field via the \u0027settings\u0027 page. The \u0027nodeIntegration\u0027 configuration is set to on which allows the \u0027webpage\u0027 to use \u0027NodeJs\u0027 features, an attacker can leverage this to run OS commands."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "XSS to RCE"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://fluidattacks.com/advisories/bowie/",
"refsource": "MISC",
"url": "https://fluidattacks.com/advisories/bowie/"
},
{
"name": "https://github.com/popcorn-official/popcorn-desktop/issues/2491",
"refsource": "MISC",
"url": "https://github.com/popcorn-official/popcorn-desktop/issues/2491"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"assignerShortName": "Fluid Attacks",
"cveId": "CVE-2022-25229",
"datePublished": "2022-05-20T11:01:18.000Z",
"dateReserved": "2022-02-15T00:00:00.000Z",
"dateUpdated": "2024-08-03T04:36:06.674Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}