CVE-2023-1384 MEDIUM

CVE-2023-1384

Vendor Amazon
Product Fire TV Stick 3rd gen
Weakness CWE-80 · XSS · basic
Published May 3, 2023
Last update January 30, 2025

CVSS base score

4.3/10
Attack vector Adjacent
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

The setMediaSource function on the amzn.thin.pl service does not sanitize the "source" parameter allowing for arbitrary javascript code to be run This issue affects: Amazon Fire TV Stick 3rd gen versions prior to 6.2.9.5. Insignia TV with FireOS versions prior to 7.6.3.3.

Key dates

02Disclosure timeline

May 3, 2023 CVE published
January 30, 2025 Record updated