Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

VideoWhisper 7 Cross Site Scripting

Related Vulnerabilities: CVE-2014-2715  
Publish Date: 25 Apr 2014
Author: Mahmoud Ghorbanzadeh
Source 
                							

                Vulnerability title: Cross-site scripting (XSS) vulnerability in Videowhisper
CVE: CVE-2014-2715
Vendor: VideoWhisper
Product: Videowhisper module for Drupal 7
Affected version: 7
Fixed version: 
Reported by: Mahmoud Ghorbanzadeh

Details:

Hello,
I found Cross-site scripting (XSS) vulnerability in the Videowhisper module for Drupal 7 (videowhisper-7.x). The vulnerability exist at line 2 and line 4 in drupal\modules\videowhisper\vwrooms\templates\logout.tpl.php due to $_GET['module'] and $_GET['message'] variables respectively at line 347 in drupal\modules\videowhisper\vwrooms\vwrooms.module.

POC: drupal/index.php?q=vwrooms/logout&module=<script>alert('XSS1')</script>&message=<script>alert('XSS2')</script>

Vendor Notification: 18, Apr 2014
 
Discovered by Mahmoud Ghorbanzadeh, in Amirkabir University of Technology's Scientific Excellence and Research Centers.

Best Regards.
<p>

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started