CVE-2025-13588 | THREATINT

Description

A vulnerability was found in lKinderBueno Streamity Xtream IPTV Player up to 2.8. The impacted element is an unknown function of the file public/proxy.php. Performing manipulation results in server-side request forgery. The attack can be initiated remotely. The exploit has been made public and could be used. Upgrading to version 2.8.1 is sufficient to resolve this issue. The patch is named c70bfb8d36b47bfd64c5ec73917e1d9ddb97af92. It is suggested to upgrade the affected component.

PUBLISHED Reserved 2025-11-23 | Published 2025-11-24 | Updated 2025-11-24 | Assigner VulDB

MEDIUM: 5.3CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

MEDIUM: 6.3CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C

MEDIUM: 6.3CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C

6.5AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C

Problem types

Server-Side Request Forgery

Product status

2.0

affected

2.1

affected

2.2

affected

2.3

affected

2.4

affected

2.5

affected

2.6

affected

2.7

affected

2.8

affected

2.8.1

unaffected

Timeline

2025-11-23:	Advisory disclosed
2025-11-23:	VulDB entry created
2025-11-23:	VulDB entry last update

Credits

lakshay12311 (VulDB User) reporter

References

vuldb.com/?id.333352 (VDB-333352 | lKinderBueno Streamity Xtream IPTV Player proxy.php server-side request forgery) vdb-entry

vuldb.com/?ctiid.333352 (VDB-333352 | CTI Indicators (IOB, IOC, IOA)) signature permissions-required

vuldb.com/?submit.687573 (Submit #687573 | lKinderBueno Streamity Xtream IPTV Web player 2.8 Server-Side Request Forgery) third-party-advisory

github.com/...hayyverma/CVE-Discovery/blob/main/Streamity.md exploit

github.com/...ommit/c70bfb8d36b47bfd64c5ec73917e1d9ddb97af92 patch

github.com/...ity-Xtream-IPTV-Web-player/releases/tag/v2.8.1 patch

cve.org (CVE-2025-13588)

nvd.nist.gov (CVE-2025-13588)

Download JSON