| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 25 Apr 2014 11:57:09 GMT
From: mdgh9@...oo.com
To: bugtraq@...urityfocus.com
Subject: [CVE-2014-2715] Cross-site scripting (XSS) vulnerability in
Videowhisper
Vulnerability title: Cross-site scripting (XSS) vulnerability in Videowhisper
CVE: CVE-2014-2715
Vendor: VideoWhisper
Product: Videowhisper module for Drupal 7
Affected version: 7
Fixed version:
Reported by: Mahmoud Ghorbanzadeh
Details:
Hello,
I found Cross-site scripting (XSS) vulnerability in the Videowhisper module for Drupal 7 (videowhisper-7.x). The vulnerability exist at line 2 and line 4 in drupal\modules\videowhisper\vwrooms\templates\logout.tpl.php due to $_GET['module'] and $_GET['message'] variables respectively at line 347 in drupal\modules\videowhisper\vwrooms\vwrooms.module.
POC: drupal/index.php?q=vwrooms/logout&module=<script>alert('XSS1')</script>&message=<script>alert('XSS2')</script>
Vendor Notification: 18, Apr 2014
Discovered by Mahmoud Ghorbanzadeh, in Amirkabir University of Technology's Scientific Excellence and Research Centers.
Best Regards.
Powered by blists - more mailing lists