CVE-2017-20219 | THREATINT

Description

Serviio PRO 1.8 DLNA Media Streaming Server contains a DOM-based cross-site scripting vulnerability that allows attackers to execute arbitrary HTML and script code by injecting malicious payloads. Attackers can craft URLs with malicious input that is read from document.location and passed to document.write() in the mediabrowser component to execute code in a user's browser context.

PUBLISHED Reserved 2026-03-15 | Published 2026-03-15 | Updated 2026-03-16 | Assigner VulnCheck

MEDIUM: 5.1CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

MEDIUM: 6.1CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Problem types

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

1.8.0.0 PRO

affected

1.7.1

affected

1.7.0

affected

1.6.1

affected

Credits

LiquidWorm as Gjoko Krstic of Zero Science Lab finder

References

www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5406.php (Zero Science Lab Disclosure) third-party-advisory

blogs.securiteam.com/index.php/archives/3094 (SecuriTeam Blogs) third-party-advisory

cxsecurity.com/issue/WLB-2017050020 (CXSecurity) third-party-advisory

packetstormsecurity.com/files/142385 (Packet Storm Security) exploit

exchange.xforce.ibmcloud.com/vulnerabilities/125647 (IBM X-Force Exchange) vdb-entry

www.vulncheck.com/...d-cross-site-scripting-via-mediabrowser (VulnCheck Advisory: Serviio PRO 1.8 DOM-based Cross-Site Scripting via mediabrowser) third-party-advisory

cve.org (CVE-2017-20219)

nvd.nist.gov (CVE-2017-20219)

Download JSON