CVE-2018-6360

mpv through 0.28.0 allows remote attackers to execute arbitrary code via a crafted web site, because it reads HTML documents containing VIDEO elements, and accepts arbitrary URLs in a src attribute without a protocol whitelist in player/lua/ytdl_hook.lua. For example, an av://lavfi:ladspa=file= URL signifies that the product should call dlopen on a shared object file located at an arbitrary local pathname. The issue exists because the product does not consider that youtube-dl can provide a potentially unsafe URL.
Severity
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Atk. Vector
NETWORK
Atk. Complexity
LOW
Priv. Required
NONE
Base Score
CVSS 3.x
EPSS Score
Percentile: 90%
VendorProductVersion
mpvmpv
𝑥
≤ 0.28.0
debiandebian_linux
9.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
mpv
bullseye
0.32.0-3
fixed
jessie
not-affected
bookworm
0.35.1-4
fixed
sid
0.38.0-1
fixed
trixie
0.38.0-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
mpv
noble
Fixed 0.27.2-1ubuntu1
released
mantic
Fixed 0.27.2-1ubuntu1
released
lunar
Fixed 0.27.2-1ubuntu1
released
kinetic
Fixed 0.27.2-1ubuntu1
released
jammy
Fixed 0.27.2-1ubuntu1
released
impish
Fixed 0.27.2-1ubuntu1
released
hirsute
Fixed 0.27.2-1ubuntu1
released
groovy
Fixed 0.27.2-1ubuntu1
released
focal
Fixed 0.27.2-1ubuntu1
released
eoan
Fixed 0.27.2-1ubuntu1
released
disco
Fixed 0.27.2-1ubuntu1
released
cosmic
Fixed 0.27.2-1ubuntu1
released
bionic
Fixed 0.27.2-1ubuntu1
released
artful
ignored
xenial
needed
trusty
dne