lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <201404251157.s3PBv9Bm027388@sf01web3.securityfocus.com>
Date: Fri, 25 Apr 2014 11:57:09 GMT
From: mdgh9@...oo.com
To: bugtraq@...urityfocus.com
Subject: [CVE-2014-2715] Cross-site scripting (XSS) vulnerability in
 Videowhisper

Vulnerability title: Cross-site scripting (XSS) vulnerability in Videowhisper
CVE: CVE-2014-2715
Vendor: VideoWhisper
Product: Videowhisper module for Drupal 7
Affected version: 7
Fixed version: 
Reported by: Mahmoud Ghorbanzadeh

Details:

Hello,
I found Cross-site scripting (XSS) vulnerability in the Videowhisper module for Drupal 7 (videowhisper-7.x). The vulnerability exist at line 2 and line 4 in drupal\modules\videowhisper\vwrooms\templates\logout.tpl.php due to $_GET['module'] and $_GET['message'] variables respectively at line 347 in drupal\modules\videowhisper\vwrooms\vwrooms.module.

POC: drupal/index.php?q=vwrooms/logout&module=<script>alert('XSS1')</script>&message=<script>alert('XSS2')</script>

Vendor Notification: 18, Apr 2014
 
Discovered by Mahmoud Ghorbanzadeh, in Amirkabir University of Technology's Scientific Excellence and Research Centers.

Best Regards.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ