{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2017-20219", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-03-15T17:44:32.856Z", "datePublished": "2026-03-15T18:34:27.373Z", "dateUpdated": "2026-03-16T14:20:17.702Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-03-15T18:34:27.373Z"}, "datePublic": "2017-05-03T00:00:00.000Z", "title": "Serviio PRO 1.8 DOM-based Cross-Site Scripting via mediabrowser", "descriptions": [{"lang": "en", "value": "Serviio PRO 1.8 DLNA Media Streaming Server contains a DOM-based cross-site scripting vulnerability that allows attackers to execute arbitrary HTML and script code by injecting malicious payloads. Attackers can craft URLs with malicious input that is read from document.location and passed to document.write() in the mediabrowser component to execute code in a user's browser context."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "affected": [{"vendor": "Serviio", "product": "Serviio PRO", "versions": [{"version": "1.8.0.0 PRO", "status": "affected"}, {"version": "1.7.1", "status": "affected"}, {"version": "1.7.0", "status": "affected"}, {"version": "1.6.1", "status": "affected"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 5.1, "baseSeverity": "MEDIUM", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS"}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "format": "CVSS"}], "references": [{"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5406.php", "name": "Zero Science Lab Disclosure", "tags": ["third-party-advisory"]}, {"url": "https://blogs.securiteam.com/index.php/archives/3094", "name": "SecuriTeam Blogs", "tags": ["third-party-advisory"]}, {"url": "https://cxsecurity.com/issue/WLB-2017050020", "name": "CXSecurity", "tags": ["third-party-advisory"]}, {"url": "https://packetstormsecurity.com/files/142385", "name": "Packet Storm Security", "tags": ["exploit"]}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/125647", "name": "IBM X-Force Exchange", "tags": ["vdb-entry"]}, {"name": "VulnCheck Advisory: Serviio PRO 1.8 DOM-based Cross-Site Scripting via mediabrowser", "tags": ["third-party-advisory"], "url": "https://www.vulncheck.com/advisories/serviio-pro-dom-based-cross-site-scripting-via-mediabrowser"}], "credits": [{"lang": "en", "value": "LiquidWorm as Gjoko Krstic of Zero Science Lab", "type": "finder"}], "x_generator": {"engine": "vulncheck"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2017-20219", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-16T14:11:24.579324Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T14:20:17.702Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2017-20219", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-16T14:11:24.579324Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T14:17:13.310Z"}}], "cna": {"title": "Serviio PRO 1.8 DOM-based Cross-Site Scripting via mediabrowser", "credits": [{"lang": "en", "type": "finder", "value": "LiquidWorm as Gjoko Krstic of Zero Science Lab"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.1, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}}, {"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "Serviio", "product": "Serviio PRO", "versions": [{"status": "affected", "version": "1.8.0.0 PRO"}, {"status": "affected", "version": "1.7.1"}, {"status": "affected", "version": "1.7.0"}, {"status": "affected", "version": "1.6.1"}]}], "datePublic": "2017-05-03T00:00:00.000Z", "references": [{"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5406.php", "name": "Zero Science Lab Disclosure", "tags": ["third-party-advisory"]}, {"url": "https://blogs.securiteam.com/index.php/archives/3094", "name": "SecuriTeam Blogs", "tags": ["third-party-advisory"]}, {"url": "https://cxsecurity.com/issue/WLB-2017050020", "name": "CXSecurity", "tags": ["third-party-advisory"]}, {"url": "https://packetstormsecurity.com/files/142385", "name": "Packet Storm Security", "tags": ["exploit"]}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/125647", "name": "IBM X-Force Exchange", "tags": ["vdb-entry"]}, {"url": "https://www.vulncheck.com/advisories/serviio-pro-dom-based-cross-site-scripting-via-mediabrowser", "name": "VulnCheck Advisory: Serviio PRO 1.8 DOM-based Cross-Site Scripting via mediabrowser", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "vulncheck"}, "descriptions": [{"lang": "en", "value": "Serviio PRO 1.8 DLNA Media Streaming Server contains a DOM-based cross-site scripting vulnerability that allows attackers to execute arbitrary HTML and script code by injecting malicious payloads. Attackers can craft URLs with malicious input that is read from document.location and passed to document.write() in the mediabrowser component to execute code in a user's browser context."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-03-15T18:34:27.373Z"}}}, "cveMetadata": {"cveId": "CVE-2017-20219", "state": "PUBLISHED", "dateUpdated": "2026-03-16T14:20:17.702Z", "dateReserved": "2026-03-15T17:44:32.856Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2026-03-15T18:34:27.373Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Serviio PRO 1.8 DLNA Media Streaming Server contains a DOM-based cross-site scripting vulnerability that allows attackers to execute arbitrary HTML and script code by injecting malicious payloads. Attackers can craft URLs with malicious input that is read from document.location and passed to document.write() in the mediabrowser component to execute code in a user's browser context."}, {"lang": "es", "value": "Servidor de streaming de medios DLNA Serviio PRO 1.8 contiene una vulnerabilidad de cross-site scripting basada en DOM que permite a los atacantes ejecutar c\u00f3digo HTML y de script arbitrario inyectando cargas \u00fatiles maliciosas. Los atacantes pueden crear URLs con entrada maliciosa que se lee de document.location y se pasa a document.write() en el componente mediabrowser para ejecutar c\u00f3digo en el contexto del navegador de un usuario."}], "id": "CVE-2017-20219", "lastModified": "2026-04-15T14:56:45.970", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "disclosure@vulncheck.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.1, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-03-16T14:17:51.527", "references": [{"source": "disclosure@vulncheck.com", "url": "https://blogs.securiteam.com/index.php/archives/3094"}, {"source": "disclosure@vulncheck.com", "url": "https://cxsecurity.com/issue/WLB-2017050020"}, {"source": "disclosure@vulncheck.com", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/125647"}, {"source": "disclosure@vulncheck.com", "url": "https://packetstormsecurity.com/files/142385"}, {"source": "disclosure@vulncheck.com", "url": "https://www.vulncheck.com/advisories/serviio-pro-dom-based-cross-site-scripting-via-mediabrowser"}, {"source": "disclosure@vulncheck.com", "url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5406.php"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "disclosure@vulncheck.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "1.8.0.0 PRO"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.7.1"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.7.0"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.6.1"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Serviio PRO", "source": "cna", "vendor": "Serviio"}, "product": "serviio_pro", "vendor": "serviio"}], "analysis": {"en": {"generated_at": "2026-03-21T15:35:52.985725+00:00", "value": {"mitigation_remediation": ["Upgrade Serviio PRO to a version that fixes the DOM\u2011based XSS flaw.", "If an upgrade is not immediately feasible, block or sanitize URLs that target the mediabrowser component to prevent injection of malicious input.", "Restrict access to the media server to trusted networks or authenticated users to limit exposure.", "Monitor server logs for suspicious URL patterns and investigate anomalous requests.", "Ensure client browsers are up\u2011to\u2011date and have XSS protection enabled."], "summary": {"action": "Patch", "impact": "Client\u2011side arbitrary code execution via XSS"}, "threat_synthesis": {"affected_systems": "The vulnerability affects Serviio PRO 1.8 DLNA Media Streaming Server. Any instance running that exact version is vulnerable.", "description_and_impact": "Serviio PRO 1.8 contains a DOM\u2011based cross\u2011site scripting flaw in its mediabrowser component. Attackers can craft URLs that inject malicious payloads, which are read from document.location and subsequently rendered by document.write, allowing arbitrary HTML and JavaScript to execute in the victim\u2019s browser. This client\u2011side code execution could be used for malicious browser actions such as defacing a page or hijacking a session, though the description does not detail specific downstream effects.", "risk_and_exploitability": "The CVSS score of 5.1 places the flaw in the medium severity range, and an EPSS score of less than 1% indicates a low probability of exploitation in the real world. The vulnerability is not listed in the CISA KEV catalog. Attackers must lure a user to a specially crafted URL that the mediabrowser component processes; when the URL is read into document.location and passed to document.write, the injected code executes in the victim\u2019s browser context. This requires user interaction and does not compromise the server, but it grants the attacker full client\u2011side control."}}}}, "created": "2026-03-16T09:21:02.002035+00:00", "updated": "2026-03-23T14:01:20.058903+00:00", "vendors": ["serviio", "serviio$PRODUCT$serviio_pro"]}