CVE-2018-19937 - Vulnerability Details - OpenCVE

A local, authenticated attacker can bypass the passcode in the VideoLAN VLC media player app before 3.1.5 for iOS by opening a URL and turning the phone.

No CVSS v4.0

Attack Vector Physical

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Attack Vector Physical

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00039.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Videolan	Vlc For Mobile

Configuration 1 [-]

cpe:2.3:a:videolan:vlc_for_mobile:*:*:*:*:*:iphone_os:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2018-11608	A local, authenticated attacker can bypass the passcode in the VideoLAN VLC media player app before 3.1.5 for iOS by opening a URL and turning the phone.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://github.com/videolan/vlc-ios/pull/178/commits/d84d7c0a94eb7fba202d2c5fc3739276d2d3986f
https://itunes.apple.com/ms/app/vlc-for-mobile/id650377962?mt=8

History

Tue, 06 May 2025 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 6.6, 'vector': 'CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2018-12-31T16:00:00.000Z

Updated: 2025-05-06T16:53:08.183Z

Reserved: 2018-12-07T00:00:00.000Z

Link: CVE-2018-19937

Vulnrichment

Updated: 2024-08-05T11:51:17.807Z

NVD

Status : Modified

Published: 2018-12-31T16:29:00.407

Modified: 2025-05-06T17:15:49.307

Link: CVE-2018-19937

Redhat

No data.

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2018-12-21T00:00:00.000Z", "descriptions": [{"lang": "en", "value": "A local, authenticated attacker can bypass the passcode in the VideoLAN VLC media player app before 3.1.5 for iOS by opening a URL and turning the phone."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-04-18T20:17:06.000Z", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://itunes.apple.com/ms/app/vlc-for-mobile/id650377962?mt=8"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/videolan/vlc-ios/pull/178/commits/d84d7c0a94eb7fba202d2c5fc3739276d2d3986f"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2018-19937", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A local, authenticated attacker can bypass the passcode in the VideoLAN VLC media player app before 3.1.5 for iOS by opening a URL and turning the phone."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://itunes.apple.com/ms/app/vlc-for-mobile/id650377962?mt=8", "refsource": "CONFIRM", "url": "https://itunes.apple.com/ms/app/vlc-for-mobile/id650377962?mt=8"}, {"name": "https://github.com/videolan/vlc-ios/pull/178/commits/d84d7c0a94eb7fba202d2c5fc3739276d2d3986f", "refsource": "MISC", "url": "https://github.com/videolan/vlc-ios/pull/178/commits/d84d7c0a94eb7fba202d2c5fc3739276d2d3986f"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T11:51:17.807Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://itunes.apple.com/ms/app/vlc-for-mobile/id650377962?mt=8"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/videolan/vlc-ios/pull/178/commits/d84d7c0a94eb7fba202d2c5fc3739276d2d3986f"}]}, {"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-287", "lang": "en", "description": "CWE-287 Improper Authentication"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.6, "attackVector": "PHYSICAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-05-06T16:52:57.216838Z", "id": "CVE-2018-19937", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-06T16:53:08.183Z"}}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2018-19937", "datePublished": "2018-12-31T16:00:00.000Z", "dateReserved": "2018-12-07T00:00:00.000Z", "dateUpdated": "2025-05-06T16:53:08.183Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://itunes.apple.com/ms/app/vlc-for-mobile/id650377962?mt=8", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/videolan/vlc-ios/pull/178/commits/d84d7c0a94eb7fba202d2c5fc3739276d2d3986f", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T11:51:17.807Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.6, "attackVector": "PHYSICAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2018-19937", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-05-06T16:52:57.216838Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-287", "description": "CWE-287 Improper Authentication"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-06T16:48:56.443Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2018-12-21T00:00:00.000Z", "references": [{"url": "https://itunes.apple.com/ms/app/vlc-for-mobile/id650377962?mt=8", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/videolan/vlc-ios/pull/178/commits/d84d7c0a94eb7fba202d2c5fc3739276d2d3986f", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "A local, authenticated attacker can bypass the passcode in the VideoLAN VLC media player app before 3.1.5 for iOS by opening a URL and turning the phone."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2019-04-18T20:17:06.000Z"}, "x_legacyV4Record": {"affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "n/a"}]}, "product_name": "n/a"}]}, "vendor_name": "n/a"}]}}, "data_type": "CVE", "references": {"reference_data": [{"url": "https://itunes.apple.com/ms/app/vlc-for-mobile/id650377962?mt=8", "name": "https://itunes.apple.com/ms/app/vlc-for-mobile/id650377962?mt=8", "refsource": "CONFIRM"}, {"url": "https://github.com/videolan/vlc-ios/pull/178/commits/d84d7c0a94eb7fba202d2c5fc3739276d2d3986f", "name": "https://github.com/videolan/vlc-ios/pull/178/commits/d84d7c0a94eb7fba202d2c5fc3739276d2d3986f", "refsource": "MISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "eng", "value": "A local, authenticated attacker can bypass the passcode in the VideoLAN VLC media player app before 3.1.5 for iOS by opening a URL and turning the phone."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2018-19937", "STATE": "PUBLIC", "ASSIGNER": "cve@mitre.org"}}}}, "cveMetadata": {"cveId": "CVE-2018-19937", "state": "PUBLISHED", "dateUpdated": "2025-05-06T16:53:08.183Z", "dateReserved": "2018-12-07T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2018-12-31T16:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:videolan:vlc_for_mobile:*:*:*:*:*:iphone_os:*:*", "matchCriteriaId": "3E8671E6-ED5C-428C-A087-84EE241CEFEB", "versionEndExcluding": "3.1.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A local, authenticated attacker can bypass the passcode in the VideoLAN VLC media player app before 3.1.5 for iOS by opening a URL and turning the phone."}, {"lang": "es", "value": "Un atacante autenticado y local puede omitir la contrase\u00f1a en la aplicaci\u00f3n de VideoLAN VLC media player en versiones anteriores a la 3.1.5 para iOS abriendo una URL y encendiendo el tel\u00e9fono."}], "id": "CVE-2018-19937", "lastModified": "2025-05-06T17:15:49.307", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.6, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "HIGH", "baseScore": 6.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 0.7, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "HIGH", "baseScore": 6.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.7, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2018-12-31T16:29:00.407", "references": [{"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/videolan/vlc-ios/pull/178/commits/d84d7c0a94eb7fba202d2c5fc3739276d2d3986f"}, {"source": "cve@mitre.org", "tags": ["Product", "Third Party Advisory"], "url": "https://itunes.apple.com/ms/app/vlc-for-mobile/id650377962?mt=8"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/videolan/vlc-ios/pull/178/commits/d84d7c0a94eb7fba202d2c5fc3739276d2d3986f"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product", "Third Party Advisory"], "url": "https://itunes.apple.com/ms/app/vlc-for-mobile/id650377962?mt=8"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-287"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}