Which versions of Serviio Pro are affected by CVE-2017-20219?

Organizations using Serviio PRO 1.8 DLNA Media Streaming Server should be aware of moderate risk from CVE-2017-20219, a cross-site scripting vulnerability rated CVSS 6.1.

Is there a public PoC exploit available for CVE-2017-20219?

Yes, a public proof-of-concept exploit is available for CVE-2017-20219. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2017-20219?

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Verify Content-Security-Policy and output encoding.

Serviio Pro CVE-2017-20219

Q: What is the CVSS score of CVE-2017-20219?

CVE-2017-20219 has a CVSS 4.0 base score of 5.1 (Medium). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2017-18932 MEDIUM

Cross-site Scripting (XSS) (CWE-79)

2026-03-15 VulnCheck

XSS Serviio Pro

5.1

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

5.1 MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Scope

Lifecycle Timeline

CVSS changed

Apr 15, 2026 - 15:22 NVD

6.1 (MEDIUM) 5.1 (MEDIUM)

PoC Detected

Mar 16, 2026 - 14:53 vuln.today

Public exploit code

EUVD ID Assigned

Mar 15, 2026 - 20:00 euvd

EUVD-2017-18932

Analysis Generated

Mar 15, 2026 - 20:00 vuln.today

CVE Published

Mar 15, 2026 - 18:34 nvd

MEDIUM 6.1

DescriptionCVE.org

Serviio PRO 1.8 DLNA Media Streaming Server contains a DOM-based cross-site scripting vulnerability that allows attackers to execute arbitrary HTML and script code by injecting malicious payloads. Attackers can craft URLs with malicious input that is read from document.location and passed to document.write() in the mediabrowser component to execute code in a user's browser context.

AnalysisAI

A DOM-based cross-site scripting (XSS) vulnerability exists in Serviio PRO's mediabrowser component that allows unauthenticated remote attackers to execute arbitrary JavaScript code in a user's browser context. The vulnerability affects multiple versions of Serviio PRO (1.6.1 through 1.8.0.0) and exploits unsafe handling of URL parameters passed from document.location to document.write(). Publicly available proof-of-concept exploits exist, making this a moderate-to-high priority vulnerability despite the CVSS 6.1 score.

Technical ContextAI

This vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and specifically manifests as a DOM-based XSS flaw. The affected product is Serviio PRO (cpe:2.3:a:serviio:serviio_pro:*:*:*:*:*:*:*:*), a DLNA media streaming server that exposes a web-based mediabrowser component. The root cause is the unsafe use of document.write() in client-side JavaScript that directly incorporates unsanitized URL parameters read from document.location. Attackers craft malicious URLs containing JavaScript payloads that are reflected directly into the DOM without proper encoding or sanitization, allowing script execution within the authenticated user's browser context when they visit or are redirected to the crafted URL.

RemediationAI

Patch availability: Upgrade Serviio PRO to version 1.9 or later (implied from version history; specific patch version not stated in provided references but post-1.8.0.0 versions should be investigated). Mitigation steps: (1) Immediately update Serviio PRO to the latest available version from the vendor; (2) Restrict network access to the Serviio web interface using firewall rules or network segmentation; (3) Disable remote access to the mediabrowser component if not required; (4) Monitor for suspicious URL parameters in access logs containing script-like payloads; (5) Implement Content Security Policy (CSP) headers if possible at the reverse proxy or application level. Vendor reference: https://www.vulncheck.com/advisories/serviio-pro-dom-based-cross-site-scripting-via-mediabrowser. Additional technical details: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5406.php and https://packetstormsecurity.com/files/142385 (POC).

CVE-2017-20219 vulnerability details – vuln.today

Back