CVE-2018-9182
https://notcve.org/view.php?id=CVE-2018-9182
Twonky Server before 8.5.1 has XSS via a modified "language" parameter in the Language section. Twonky Server en versiones anteriores a la 8.5.1 tiene Cross-Site Scripting (XSS) mediante un parámetro "language" modificado en la sección Language. • https://gist.github.com/priyanksethi/08fb93341cf7e61344aad5c4fee3aa9b • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2018-9177
https://notcve.org/view.php?id=CVE-2018-9177
Twonky Server before 8.5.1 has XSS via a folder name on the Shared Folders screen. Twonky Server en versiones anteriores a la 8.5.1 tiene Cross-Site Scripting (XSS) mediante un nombre de carpeta en la pantalla Shared Folders. • https://gist.github.com/prafagr/bd641fcfe71661065e659672c737173b • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2018-7203 – TwonkyMedia Server 7.0.11-8.5 - Persistent Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2018-7203
Cross-site scripting (XSS) vulnerability in Twonky Server 7.0.11 through 8.5 allows remote attackers to inject arbitrary web script or HTML via the friendlyname parameter to rpc/set_all. Una vulnerabilidad Cross-Site Scripting (XSS) en Twonky Server desde la versión 7.0.11 hasta la 8.5 permite que atacantes remotos inyecten scripts web o HTML mediante el parámetro friendlyname en rpc/set_all. TwonkyMedia Server version 7.0.11-8.5 suffers from a persistent cross site scripting vulnerability. • https://www.exploit-db.com/exploits/44351 http://packetstormsecurity.com/files/146939/TwonkyMedia-Server-7.0.11-8.5-Cross-Site-Scripting.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2018-7171 – TwonkyMedia Server 7.0.11-8.5 - Directory Traversal
https://notcve.org/view.php?id=CVE-2018-7171
Directory traversal vulnerability in Twonky Server 7.0.11 through 8.5 allows remote attackers to share the contents of arbitrary directories via a .. (dot dot) in the contentbase parameter to rpc/set_all. Una vulnerabilidad de salto de directorio en Twonky Server desde la versión 7.0.11 hasta la 8.5 permite que atacantes remotos compartan los contenidos de directorios arbitrarios mediante un .. (punto punto) en el parámetro contentbase en rpc/set_all. TwonkyMedia Server version 7.0.11-8.5 suffers from a directory traversal vulnerability. • https://www.exploit-db.com/exploits/44350 http://packetstormsecurity.com/files/146938/TwonkyMedia-Server-7.0.11-8.5-Directory-Traversal.html https://github.com/mechanico/sharingIsCaring/blob/master/twonky.py • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •