LambertGroup Universal Video Player CVE-2025-31917

| EUVD-2025-17505 HIGH
Cross-site Scripting (XSS) (CWE-79)
2025-06-09 [email protected]
XSS
7.1
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

3
Analysis Generated
Mar 14, 2026 - 19:21 vuln.today
EUVD ID Assigned
Mar 14, 2026 - 19:21 euvd
EUVD-2025-17505
CVE Published
Jun 09, 2025 - 16:15 nvd
HIGH 7.1

DescriptionNVD

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup Universal Video Player allows Reflected XSS. This issue affects Universal Video Player: from n/a through 3.8.3.

AnalysisAI

Reflected Cross-Site Scripting (XSS) vulnerability in LambertGroup Universal Video Player versions up to 3.8.3 that allows unauthenticated attackers to inject arbitrary JavaScript code into web pages viewed by victims. The vulnerability has a CVSS score of 7.1 (High) and affects the popular video player component across multiple web applications. While no public exploit code or KEV listing is indicated in available intelligence, the low attack complexity and user interaction requirement present moderate real-world risk to deployed instances.

Technical ContextAI

The vulnerability stems from CWE-79 (Improper Neutralization of Input During Web Page Generation), a classic Reflected XSS flaw where user-supplied input is not properly sanitized or encoded before being rendered in HTML context. LambertGroup Universal Video Player likely processes URL parameters or form inputs related to video playback (such as video source URLs, player configuration, or metadata parameters) without adequate input validation or output encoding. The 'Reflected' classification indicates the malicious payload is embedded in a URL or request that reflects back through the application to the user's browser, rather than being stored server-side. CPE identifier would typically be: cpe:2.3:a:lambertgroup:universal_video_player:*:*:*:*:*:*:*:* (versions <=3.8.3). This affects any web application embedding this player component.

RemediationAI

Upgrade LambertGroup Universal Video Player to version 3.8.4 or later (assumed patched version; verify with vendor). Check vendor advisory at https://lambertgroup.com/security/ or relevant support channels for confirmed patch availability.; priority: Critical Workaround (Temporary): Implement Web Application Firewall (WAF) rules to detect and block XSS payloads in requests to pages serving the Universal Video Player (e.g., block requests containing script tags, event handlers, or common XSS encodings in URL parameters). Workaround (Temporary): Apply Content Security Policy (CSP) headers with strict directives (e.g., script-src 'self'; object-src 'none') to limit the scope of injected JavaScript, though this does not prevent the vulnerability itself. Detection: Monitor web server and CDN logs for unusual URL patterns targeting video player parameters; search for encoded XSS payloads (%3Cscript, &#x3C;, etc.) in referrer and query string logs. Configuration: Ensure the player is configured with strict input validation on all URL parameters and form inputs. Validate against a whitelist of expected values rather than blacklisting known attack patterns.

Share

CVE-2025-31917 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy