kaltura/server

kaltura/server

Releases300

Frequency2 weeks 1 day

Last Release 10 days ago

Stars404

The Kaltura Platform Backend. To install Kaltura, visit the install packages repository.

Log in to subscribe

CVE History

CVE	Published	CVSS v3	CVSS v2
CVE-2017-14142 ↗	Sep 19, 2017Tuesday, 19 September 2017, 15:29	—	4.3 MEDIUM
Multiple cross-site scripting (XSS) vulnerabilities in Kaltura before 13.2.0 allow remote attackers to inject arbitrary web script or HTML via the (1) partnerId or (2) playerVersion parameter to server/admin_console/web/tools/bigRedButton.php; the (3) partnerId, (4) playerVersion, (5) secret, (6) entryId, (7) adminUiConfId, or (8) uiConfId parameter to server/admin_console/web/tools/bigRedButtonPtsPoc.php; the (9) streamUsername, (10) streamPassword, (11) streamRemoteId, (12) streamRemoteBackupId, or (13) entryId parameter to server/admin_console/web/tools/AkamaiBroadcaster.php; the (14) entryId parameter to server/admin_console/web/tools/XmlJWPlayer.php; or the (15) partnerId or (16) playerVersion parameter to server/alpha/web/lib/bigRedButtonPtsPocHlsjs.php.
CVE-2017-14143 ↗	Sep 19, 2017Tuesday, 19 September 2017, 15:29	—	7.5 HIGH
The getUserzoneCookie function in Kaltura before 13.2.0 uses a hardcoded cookie secret to validate cookie signatures, which allows remote attackers to bypass an intended protection mechanism and consequently conduct PHP object injection attacks and execute arbitrary PHP code via a crafted userzone cookie.
CVE-2017-14141 ↗	Sep 19, 2017Tuesday, 19 September 2017, 15:29	7.2 HIGH	6.5 MEDIUM
The wiki_decode Developer System Helper function in the admin panel in Kaltura before 13.2.0 allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via a crafted serialized object.
CVE-2017-6391 ↗	Mar 2, 2017Thursday, 2 March 2017, 06:59	—	4.3 MEDIUM
An issue was discovered in Kaltura server Lynx-12.11.0. The vulnerability exists due to insufficient filtration of user-supplied data passed to the "admin_console/web/tools/SimpleJWPlayer.php" URL, the "admin_console/web/tools/AkamaiBroadcaster.php" URL, the "admin_console/web/tools/bigRedButton.php" URL, and the "admin_console/web/tools/bigRedButtonPtsPoc.php" URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website.
CVE-2017-6392 ↗	Mar 2, 2017Thursday, 2 March 2017, 06:59	—	4.3 MEDIUM
An issue was discovered in Kaltura server Lynx-12.11.0. The vulnerability exists due to insufficient filtration of user-supplied data passed to the "server-Lynx-12.11.0/admin_console/web/tools/XmlJWPlayer.php" URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website.