{"id":"UBUNTU-CVE-2018-8831","details":"A Persistent XSS vulnerability exists in Kodi (formerly XBMC) through 17.6 that allows the execution of arbitrary HTML/script code in the context of the victim user's browser via a playlist.","modified":"2026-05-20T16:03:19.752940544Z","published":"2018-04-18T17:29:00Z","upstream":["CVE-2018-8831"],"references":[{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2018-8831"},{"type":"REPORT","url":"http://seclists.org/fulldisclosure/2018/Apr/36"},{"type":"REPORT","url":"https://trac.kodi.tv/ticket/17814"},{"type":"REPORT","url":"https://www.cve.org/CVERecord?id=CVE-2018-8831"}],"affected":[{"package":{"name":"kodi","ecosystem":"Ubuntu:16.04:LTS","purl":"pkg:deb/ubuntu/kodi?arch=source&distro=xenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["15.1+dfsg1-3","15.2+dfsg1-1build1","15.2+dfsg1-3","15.2+dfsg1-3ubuntu1","15.2+dfsg1-3ubuntu1.1"],"ecosystem_specific":{"binaries":[{"binary_name":"kodi","binary_version":"15.2+dfsg1-3ubuntu1.1"},{"binary_name":"kodi-bin","binary_version":"15.2+dfsg1-3ubuntu1.1"},{"binary_name":"kodi-data","binary_version":"15.2+dfsg1-3ubuntu1.1"},{"binary_name":"kodi-eventclients-common","binary_version":"15.2+dfsg1-3ubuntu1.1"},{"binary_name":"kodi-eventclients-j2me","binary_version":"15.2+dfsg1-3ubuntu1.1"},{"binary_name":"kodi-eventclients-kodi-send","binary_version":"15.2+dfsg1-3ubuntu1.1"},{"binary_name":"kodi-eventclients-ps3","binary_version":"15.2+dfsg1-3ubuntu1.1"},{"binary_name":"kodi-eventclients-wiiremote","binary_version":"15.2+dfsg1-3ubuntu1.1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2018/UBUNTU-CVE-2018-8831.json"}},{"package":{"name":"kodi","ecosystem":"Ubuntu:18.04:LTS","purl":"pkg:deb/ubuntu/kodi?arch=source&distro=bionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["2:17.3+dfsg1-3","2:17.3+dfsg1-3build1","2:17.3+dfsg1-5","2:17.3+dfsg1-5build1","2:17.3+dfsg1-5build2","2:17.6+dfsg1-1","2:17.6+dfsg1-1build1","2:17.6+dfsg1-1ubuntu1"],"ecosystem_specific":{"binaries":[{"binary_name":"kodi","binary_version":"2:17.6+dfsg1-1ubuntu1"},{"binary_name":"kodi-bin","binary_version":"2:17.6+dfsg1-1ubuntu1"},{"binary_name":"kodi-data","binary_version":"2:17.6+dfsg1-1ubuntu1"},{"binary_name":"kodi-eventclients-common","binary_version":"2:17.6+dfsg1-1ubuntu1"},{"binary_name":"kodi-eventclients-kodi-send","binary_version":"2:17.6+dfsg1-1ubuntu1"},{"binary_name":"kodi-eventclients-ps3","binary_version":"2:17.6+dfsg1-1ubuntu1"},{"binary_name":"kodi-eventclients-wiiremote","binary_version":"2:17.6+dfsg1-1ubuntu1"},{"binary_name":"kodi-repository-kodi","binary_version":"2:17.6+dfsg1-1ubuntu1"},{"binary_name":"xbmc","binary_version":"2:17.6+dfsg1-1ubuntu1"},{"binary_name":"xbmc-bin","binary_version":"2:17.6+dfsg1-1ubuntu1"},{"binary_name":"xbmc-eventclients-common","binary_version":"2:17.6+dfsg1-1ubuntu1"},{"binary_name":"xbmc-eventclients-ps3","binary_version":"2:17.6+dfsg1-1ubuntu1"},{"binary_name":"xbmc-eventclients-wiiremote","binary_version":"2:17.6+dfsg1-1ubuntu1"},{"binary_name":"xbmc-eventclients-xbmc-send","binary_version":"2:17.6+dfsg1-1ubuntu1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2018/UBUNTU-CVE-2018-8831.json"}},{"package":{"name":"kodi","ecosystem":"Ubuntu:20.04:LTS","purl":"pkg:deb/ubuntu/kodi?arch=source&distro=focal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["2:17.6+dfsg1-4ubuntu4","2:17.6+dfsg1-4ubuntu9","2:17.6+dfsg1-4ubuntu10","2:18.5+dfsg1-0ubuntu3","2:18.6+dfsg1-2ubuntu1"],"ecosystem_specific":{"binaries":[{"binary_name":"kodi","binary_version":"2:18.6+dfsg1-2ubuntu1"},{"binary_name":"kodi-bin","binary_version":"2:18.6+dfsg1-2ubuntu1"},{"binary_name":"kodi-data","binary_version":"2:18.6+dfsg1-2ubuntu1"},{"binary_name":"kodi-eventclients-common","binary_version":"2:18.6+dfsg1-2ubuntu1"},{"binary_name":"kodi-eventclients-kodi-send","binary_version":"2:18.6+dfsg1-2ubuntu1"},{"binary_name":"kodi-eventclients-ps3","binary_version":"2:18.6+dfsg1-2ubuntu1"},{"binary_name":"kodi-eventclients-wiiremote","binary_version":"2:18.6+dfsg1-2ubuntu1"},{"binary_name":"kodi-gbm","binary_version":"2:18.6+dfsg1-2ubuntu1"},{"binary_name":"kodi-repository-kodi","binary_version":"2:18.6+dfsg1-2ubuntu1"},{"binary_name":"kodi-wayland","binary_version":"2:18.6+dfsg1-2ubuntu1"},{"binary_name":"kodi-x11","binary_version":"2:18.6+dfsg1-2ubuntu1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2018/UBUNTU-CVE-2018-8831.json"}},{"package":{"name":"kodi","ecosystem":"Ubuntu:22.04:LTS","purl":"pkg:deb/ubuntu/kodi?arch=source&distro=jammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["2:19.1+dfsg2-2","2:19.3+dfsg1-1","2:19.3+dfsg1-1build2","2:19.3+dfsg1-1build3","2:19.3+dfsg1-1build4","2:19.3+dfsg1-1build5","2:19.4+dfsg1-2"],"ecosystem_specific":{"binaries":[{"binary_name":"kodi","binary_version":"2:19.4+dfsg1-2"},{"binary_name":"kodi-addons-dev-common","binary_version":"2:19.4+dfsg1-2"},{"binary_name":"kodi-bin","binary_version":"2:19.4+dfsg1-2"},{"binary_name":"kodi-data","binary_version":"2:19.4+dfsg1-2"},{"binary_name":"kodi-eventclients-common","binary_version":"2:19.4+dfsg1-2"},{"binary_name":"kodi-eventclients-dev-common","binary_version":"2:19.4+dfsg1-2"},{"binary_name":"kodi-eventclients-kodi-send","binary_version":"2:19.4+dfsg1-2"},{"binary_name":"kodi-eventclients-ps3","binary_version":"2:19.4+dfsg1-2"},{"binary_name":"kodi-eventclients-python","binary_version":"2:19.4+dfsg1-2"},{"binary_name":"kodi-eventclients-wiiremote","binary_version":"2:19.4+dfsg1-2"},{"binary_name":"kodi-eventclients-zeroconf","binary_version":"2:19.4+dfsg1-2"},{"binary_name":"kodi-repository-kodi","binary_version":"2:19.4+dfsg1-2"},{"binary_name":"kodi-tools-texturepacker","binary_version":"2:19.4+dfsg1-2"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2018/UBUNTU-CVE-2018-8831.json"}},{"package":{"name":"kodi","ecosystem":"Ubuntu:24.04:LTS","purl":"pkg:deb/ubuntu/kodi?arch=source&distro=noble"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["2:20.2+dfsg-4","2:20.2+dfsg-4build1","2:20.2+dfsg-4build2","2:20.2+dfsg-4ubuntu1","2:20.3+dfsg-1","2:20.4+dfsg-1","2:20.5+dfsg-1build2","2:20.5+dfsg-1ubuntu1"],"ecosystem_specific":{"binaries":[{"binary_name":"kodi","binary_version":"2:20.5+dfsg-1ubuntu1"},{"binary_name":"kodi-addons-dev-common","binary_version":"2:20.5+dfsg-1ubuntu1"},{"binary_name":"kodi-bin","binary_version":"2:20.5+dfsg-1ubuntu1"},{"binary_name":"kodi-data","binary_version":"2:20.5+dfsg-1ubuntu1"},{"binary_name":"kodi-eventclients-common","binary_version":"2:20.5+dfsg-1ubuntu1"},{"binary_name":"kodi-eventclients-dev-common","binary_version":"2:20.5+dfsg-1ubuntu1"},{"binary_name":"kodi-eventclients-kodi-send","binary_version":"2:20.5+dfsg-1ubuntu1"},{"binary_name":"kodi-eventclients-ps3","binary_version":"2:20.5+dfsg-1ubuntu1"},{"binary_name":"kodi-eventclients-python","binary_version":"2:20.5+dfsg-1ubuntu1"},{"binary_name":"kodi-eventclients-wiiremote","binary_version":"2:20.5+dfsg-1ubuntu1"},{"binary_name":"kodi-eventclients-zeroconf","binary_version":"2:20.5+dfsg-1ubuntu1"},{"binary_name":"kodi-repository-kodi","binary_version":"2:20.5+dfsg-1ubuntu1"},{"binary_name":"kodi-tools-texturepacker","binary_version":"2:20.5+dfsg-1ubuntu1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2018/UBUNTU-CVE-2018-8831.json"}},{"package":{"name":"kodi","ecosystem":"Ubuntu:25.10","purl":"pkg:deb/ubuntu/kodi?arch=source&distro=questing"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["2:21.2+dfsg-1build2","2:21.2+dfsg-4","2:21.2+dfsg-4build1","2:21.2+dfsg-4build2"],"ecosystem_specific":{"binaries":[{"binary_name":"kodi","binary_version":"2:21.2+dfsg-4build2"},{"binary_name":"kodi-addons-dev-common","binary_version":"2:21.2+dfsg-4build2"},{"binary_name":"kodi-bin","binary_version":"2:21.2+dfsg-4build2"},{"binary_name":"kodi-data","binary_version":"2:21.2+dfsg-4build2"},{"binary_name":"kodi-eventclients-common","binary_version":"2:21.2+dfsg-4build2"},{"binary_name":"kodi-eventclients-dev-common","binary_version":"2:21.2+dfsg-4build2"},{"binary_name":"kodi-eventclients-kodi-send","binary_version":"2:21.2+dfsg-4build2"},{"binary_name":"kodi-eventclients-ps3","binary_version":"2:21.2+dfsg-4build2"},{"binary_name":"kodi-eventclients-python","binary_version":"2:21.2+dfsg-4build2"},{"binary_name":"kodi-eventclients-wiiremote","binary_version":"2:21.2+dfsg-4build2"},{"binary_name":"kodi-eventclients-zeroconf","binary_version":"2:21.2+dfsg-4build2"},{"binary_name":"kodi-repository-kodi","binary_version":"2:21.2+dfsg-4build2"},{"binary_name":"kodi-tools-texturepacker","binary_version":"2:21.2+dfsg-4build2"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2018/UBUNTU-CVE-2018-8831.json"}},{"package":{"name":"kodi","ecosystem":"Ubuntu:26.04:LTS","purl":"pkg:deb/ubuntu/kodi?arch=source&distro=resolute"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["2:21.2+dfsg-4build2","2:21.2+dfsg-4build3","2:21.2+dfsg-5","2:21.3+dfsg-1","2:21.3+dfsg-1build1","2:21.3+dfsg-1ubuntu1"],"ecosystem_specific":{"binaries":[{"binary_name":"kodi","binary_version":"2:21.3+dfsg-1ubuntu1"},{"binary_name":"kodi-addons-dev-common","binary_version":"2:21.3+dfsg-1ubuntu1"},{"binary_name":"kodi-bin","binary_version":"2:21.3+dfsg-1ubuntu1"},{"binary_name":"kodi-data","binary_version":"2:21.3+dfsg-1ubuntu1"},{"binary_name":"kodi-eventclients-common","binary_version":"2:21.3+dfsg-1ubuntu1"},{"binary_name":"kodi-eventclients-dev-common","binary_version":"2:21.3+dfsg-1ubuntu1"},{"binary_name":"kodi-eventclients-kodi-send","binary_version":"2:21.3+dfsg-1ubuntu1"},{"binary_name":"kodi-eventclients-ps3","binary_version":"2:21.3+dfsg-1ubuntu1"},{"binary_name":"kodi-eventclients-python","binary_version":"2:21.3+dfsg-1ubuntu1"},{"binary_name":"kodi-eventclients-wiiremote","binary_version":"2:21.3+dfsg-1ubuntu1"},{"binary_name":"kodi-eventclients-zeroconf","binary_version":"2:21.3+dfsg-1ubuntu1"},{"binary_name":"kodi-repository-kodi","binary_version":"2:21.3+dfsg-1ubuntu1"},{"binary_name":"kodi-tools-texturepacker","binary_version":"2:21.3+dfsg-1ubuntu1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2018/UBUNTU-CVE-2018-8831.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"type":"Ubuntu","score":"medium"}]}