Overview
CVE-2025-13588 is a medium severity vulnerability affecting lKinderBueno Streamity Xtream IPTV Player up to version 2.8. This vulnerability is a Server-Side Request Forgery (SSRF) and resides in the public/proxy.php file, allowing attackers to potentially make unauthorized requests from the server.
Technical Details
The vulnerability stems from insufficient input validation within the public/proxy.php file. By manipulating specific parameters, a remote attacker can force the server to make HTTP requests to arbitrary external servers. This could allow attackers to scan internal networks, access sensitive data behind firewalls, or even perform other malicious activities by leveraging the server’s trust relationship with other systems.
CVSS Analysis
The Common Vulnerability Scoring System (CVSS) score for CVE-2025-13588 is 6.3 (Medium). This score reflects the moderate impact and exploitability of the vulnerability.
Possible Impact
The successful exploitation of this SSRF vulnerability could lead to:
- Internal network scanning.
- Access to sensitive internal resources.
- Potentially, remote code execution if the attacker can target vulnerable internal services.
- Data leakage and compromise.
Mitigation and Patch Steps
The vulnerability has been addressed in Streamity Xtream IPTV Player version 2.8.1. It is highly recommended to upgrade to this version or a later version as soon as possible.
The patch, identified as c70bfb8d36b47bfd64c5ec73917e1d9ddb97af92, includes improved input validation to prevent unauthorized external requests.
