{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-26T09:07:19.492","vulnerabilities":[{"cve":{"id":"CVE-2022-25229","sourceIdentifier":"help@fluidattacks.com","published":"2022-05-20T11:15:07.427","lastModified":"2026-06-17T04:33:14.600","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"Popcorn Time 0.4.7 has a Stored XSS in the 'Movies API Server(s)' field via the 'settings' page. The 'nodeIntegration' configuration is set to on which allows the 'webpage' to use 'NodeJs' features, an attacker can leverage this to run OS commands."},{"lang":"es","value":"Popcorn Time versión 0.4.7, presenta un ataque de tipo XSS almacenado en el campo \"Movies API Server(s)'' por medio de la página \"settings\". La configuración \"nodeIntegration\" está habilitada, lo que permite a la página web usar las características de \"NodeJs\", un atacante puede aprovechar esto para ejecutar comandos del Sistema Operativo"}],"affected":[{"source":"help@fluidattacks.com","affectedData":[{"vendor":"n/a","product":"Popcorn Time","versions":[{"version":"0.4.7","status":"affected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N","baseScore":5.4,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.3,"impactScore":2.7}],"cvssMetricV2":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:M/Au:S/C:N/I:P/A:N","baseScore":3.5,"accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"SINGLE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"NONE"},"baseSeverity":"LOW","exploitabilityScore":6.8,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":true}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-79"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:popcorn_time_project:popcorn_time:0.4.7:*:*:*:*:*:*:*","matchCriteriaId":"8AAA5CD1-1B05-4450-861B-DDC97756C505"}]}]}],"references":[{"url":"https://fluidattacks.com/advisories/bowie/","source":"help@fluidattacks.com","tags":["Exploit","Third Party Advisory"]},{"url":"https://github.com/popcorn-official/popcorn-desktop/issues/2491","source":"help@fluidattacks.com","tags":["Exploit","Issue Tracking","Third Party Advisory"]},{"url":"https://fluidattacks.com/advisories/bowie/","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Exploit","Third Party Advisory"]},{"url":"https://github.com/popcorn-official/popcorn-desktop/issues/2491","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Exploit","Issue Tracking","Third Party Advisory"]}]}}]}