EUVD-2017-18932

| CVE-2017-20219 MEDIUM
2026-03-15 VulnCheck
6.1
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
PoC Detected
Mar 16, 2026 - 14:53 vuln.today
Public exploit code
Analysis Generated
Mar 15, 2026 - 20:00 vuln.today
EUVD ID Assigned
Mar 15, 2026 - 20:00 euvd
EUVD-2017-18932
CVE Published
Mar 15, 2026 - 18:34 nvd
MEDIUM 6.1

Tags

XSS Serviio Pro

Description

Serviio PRO 1.8 DLNA Media Streaming Server contains a DOM-based cross-site scripting vulnerability that allows attackers to execute arbitrary HTML and script code by injecting malicious payloads. Attackers can craft URLs with malicious input that is read from document.location and passed to document.write() in the mediabrowser component to execute code in a user's browser context.

Analysis

A DOM-based cross-site scripting (XSS) vulnerability exists in Serviio PRO's mediabrowser component that allows unauthenticated remote attackers to execute arbitrary JavaScript code in a user's browser context. The vulnerability affects multiple versions of Serviio PRO (1.6.1 through 1.8.0.0) and exploits unsafe handling of URL parameters passed from document.location to document.write(). Publicly available proof-of-concept exploits exist, making this a moderate-to-high priority vulnerability despite the CVSS 6.1 score.

Technical Context

This vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and specifically manifests as a DOM-based XSS flaw. The affected product is Serviio PRO (cpe:2.3:a:serviio:serviio_pro:*:*:*:*:*:*:*:*), a DLNA media streaming server that exposes a web-based mediabrowser component. The root cause is the unsafe use of document.write() in client-side JavaScript that directly incorporates unsanitized URL parameters read from document.location. Attackers craft malicious URLs containing JavaScript payloads that are reflected directly into the DOM without proper encoding or sanitization, allowing script execution within the authenticated user's browser context when they visit or are redirected to the crafted URL.

Affected Products

Serviio PRO versions affected per EUVD data: 1.6.1, 1.7.0, 1.7.1, and 1.8.0.0 PRO. The CPE indicates all versions of Serviio PRO (cpe:2.3:a:serviio:serviio_pro:*:*:*:*:*:*:*:*) are potentially in scope. The vulnerability is confirmed in the mediabrowser component. Serviio Free/Community editions are not explicitly mentioned in the provided data but may warrant investigation. The ENISA EUVD ID (EUVD-2017-18932) is the official European cataloging reference for this vulnerability.

Remediation

Patch availability: Upgrade Serviio PRO to version 1.9 or later (implied from version history; specific patch version not stated in provided references but post-1.8.0.0 versions should be investigated). Mitigation steps: (1) Immediately update Serviio PRO to the latest available version from the vendor; (2) Restrict network access to the Serviio web interface using firewall rules or network segmentation; (3) Disable remote access to the mediabrowser component if not required; (4) Monitor for suspicious URL parameters in access logs containing script-like payloads; (5) Implement Content Security Policy (CSP) headers if possible at the reverse proxy or application level. Vendor reference: https://www.vulncheck.com/advisories/serviio-pro-dom-based-cross-site-scripting-via-mediabrowser. Additional technical details: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5406.php and https://packetstormsecurity.com/files/142385 (POC).

Priority Score

51
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +30
POC: +20

Share

EUVD-2017-18932 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy