PatchSiren cyber security CVE debrief

CVE-2017-6391 Kaltura CVE debrief

CVE-2017-6391 is a cross-site scripting (XSS) vulnerability in Kaltura Server Lynx-12.11.0. The issue affects multiple admin_console web tool URLs and can let attacker-controlled HTML or script execute in a browser in the context of the vulnerable Kaltura website. Because exploitation requires user interaction and can affect authenticated admin workflows, it should be treated as a meaningful web application hygiene issue even though the CVSS score is in the medium range.

Vendor: Kaltura
Product: CVE-2017-6391
CVSS: MEDIUM 6.1
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-03-02
Original CVE updated: 2026-05-13
Advisory published: 2017-03-02
Advisory updated: 2026-05-13

Who should care

Kaltura administrators, operators, and security teams responsible for Kaltura Server deployments—especially systems exposing admin_console or related web tools to users who may click crafted links. Developers maintaining custom integrations or templates around the affected PHP tools should also review their input handling.

Technical summary

NVD classifies the weakness as CWE-79 (improper neutralization of input during web page generation). The published CVSS v3.0 vector is AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, which indicates network-reachable exploitation but with required user interaction. The vulnerable area is described as insufficient filtration of user-supplied data passed to admin_console/web/tools/SimpleJWPlayer.php, AkamaiBroadcaster.php, bigRedButton.php, and bigRedButtonPtsPoc.php. NVD’s affected CPE data lists Kaltura Server versions up to lynx-12.11.0.

Defensive priority

Medium priority. The issue can expose administrative browser sessions or trusted users to script execution, so it should be remediated promptly on internet-facing or broadly accessible Kaltura deployments, but it is not rated as an availability-impacting flaw.

Recommended defensive actions

Confirm whether your Kaltura Server deployment matches the affected CPE range listed by NVD, including versions up to lynx-12.11.0.
Apply the vendor fix referenced in the Kaltura repository and track the associated issue for the corrected release path.
Restrict access to admin_console and related web tools to trusted networks and authenticated administrators until remediation is complete.
Review any custom code or templates that pass user-controlled input into these endpoints and ensure proper output encoding and input validation are in place.
After remediation, verify that affected pages no longer reflect unsanitized input and that browser content is rendered safely.
Monitor for unexpected administrator-session activity or suspicious browser-side behavior around the affected tools while the fix is being deployed.

Evidence notes

This debrief is based only on the supplied CVE/NVD corpus and the linked official or vendor references. The core facts are: public disclosure on 2017-03-02, CVSS 6.1 medium, CWE-79, user interaction required, and affected Kaltura Server versions ending at lynx-12.11.0. The description explicitly names the four admin_console/web/tools PHP endpoints as the affected sinks. No fixed version number was provided in the supplied corpus.

Official resources

CVE-2017-6391 CVE record
CVE.org
CVE-2017-6391 NVD detail
NVD
Source item URL
nvd_modified
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Patch
Mitigation or vendor reference
[email protected] - Patch, Third Party Advisory

Publicly disclosed in the CVE record and NVD entry on 2017-03-02.