CVE-2023-1384

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2023-1384
The setMediaSource function on the amzn.thin.pl service does not sanitize the "source" parameter allowing for arbitrary javascript code to be run This issue affects: Amazon Fire TV Stick 3rd gen versions prior to 6.2.9.5. Insignia TV with FireOS versions prior to 7.6.3.3.

4.3 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector ADJACENT_NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://www.bitdefender.com/blog/labs/vulnerabilities-identified-amazon-fire-tv-stick-insignia-fire-os-tv-series/ Third Party Advisory
https://www.bitdefender.com/blog/labs/vulnerabilities-identified-amazon-fire-tv-stick-insignia-fire-os-tv-series/ Third Party Advisory
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:amazon:fire_os:*:*:*:*:*:*:*:*
cpe:2.3:h:amazon:fire_tv_stick_3rd_gen:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND
cpe:2.3:o:amazon:fire_os:*:*:*:*:*:*:*:*
cpe:2.3:h:bestbuy:insignia_tv:-:*:*:*:*:*:*:*
History

21 Nov 2024, 07:39

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 6.1 		v2 : unknown
v3 : 4.3
References () https://www.bitdefender.com/blog/labs/vulnerabilities-identified-amazon-fire-tv-stick-insignia-fire-os-tv-series/ - Third Party Advisory () https://www.bitdefender.com/blog/labs/vulnerabilities-identified-amazon-fire-tv-stick-insignia-fire-os-tv-series/ - Third Party Advisory

12 May 2023, 16:06

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 6.1
References (MISC) https://www.bitdefender.com/blog/labs/vulnerabilities-identified-amazon-fire-tv-stick-insignia-fire-os-tv-series/ - (MISC) https://www.bitdefender.com/blog/labs/vulnerabilities-identified-amazon-fire-tv-stick-insignia-fire-os-tv-series/ - Third Party Advisory
CWE CWE-80 CWE-79
CPE cpe:2.3:h:bestbuy:insignia_tv:-:*:*:*:*:*:*:*
cpe:2.3:o:amazon:fire_os:*:*:*:*:*:*:*:*
cpe:2.3:h:amazon:fire_tv_stick_3rd_gen:-:*:*:*:*:*:*:*

03 May 2023, 13:15

Type Values Removed Values Added
New CVE
Information

Published : 2023-05-03 13:15

Updated : 2024-11-21 07:39

NVD link : CVE-2023-1384

Mitre link : CVE-2023-1384

CVE.ORG link : CVE-2023-1384

JSON object : View

Products Affected

amazon

  • fire_os
  • fire_tv_stick_3rd_gen

bestbuy

  • insignia_tv
CWE
CWE-80

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')