Home > Vulnerability Database > CVE-2018-6360

Mend.io Vulnerability Database

CVE-2018-6360

Good to know:

Date: January 27, 2018

mpv through 0.28.0 allows remote attackers to execute arbitrary code via a crafted web site, because it reads HTML documents containing VIDEO elements, and accepts arbitrary URLs in a src attribute without a protocol whitelist in player/lua/ytdl_hook.lua. For example, an av://lavfi:ladspa=file= URL signifies that the product should call dlopen on a shared object file located at an arbitrary local pathname. The issue exists because the product does not consider that youtube-dl can provide a potentially unsafe URL.

Language: C

Severity Score

8.8

Related Resources (7)

Url: https://security-tracker.debian.org/tracker/CVE-2018-6360

Url: https://github.com/mpv-player/mpv/issues/5456

Url: https://security.gentoo.org/glsa/201805-05

Url: https://nvd.nist.gov/vuln/detail/CVE-2018-6360

Url: https://www.debian.org/security/2018/dsa-4105

Url: https://github.com/mpv-player/mpv/commit/e6e6b0dcc7e9b0dbf35154a179b3dc1fcfcaff43

Url: https://www.mend.io/vulnerability-database/CVE-2018-6360

Severity Score

8.8

Weakness Type (CWE)

Input Validation

CWE-20

Top Fix

Upgrade Version

Upgrade to version v0.29.0

Learn More

CVSS v3.1

Base Score:	8.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

CVSS v2

Base Score:	6.8
Access Vector (AV):	NETWORK
Access Complexity (AC):	MEDIUM
Authentication (AU):	NONE
Confidentiality (C):	PARTIAL
Integrity (I):	PARTIAL
Availability (A):	PARTIAL
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2018-6360

Good to know:

Date: January 27, 2018

Language: C

Severity Score

Related Resources (7)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?