WordPress VideoWhisper Video Presentation Multiple Cross-Site Scripting Vulnerabilities
Released on: 2014-09-02
Updated on: 2014-09-04
Affected Systems:
WordPress VideoWhisper Video Presentation <3.31
Description:
--------------------------------------------------------------------------------
Bugtraq id: 69511
CVE (CAN) ID: CVE-2014-4570
VideoWhisper Video Consultation is a Web-based Video communication solution.
In versions earlier than VideoWhisper Video Presentation 3.31, multiple cross-site scripting vulnerabilities exist. Remote attackers pass the room_name parameter to c_login.php and send the index to the vp. php passes room parameters and uses these vulnerabilities to inject arbitrary Web scripts or HTML.
<* Source: Anant Shrivastava
*>
Test method:
--------------------------------------------------------------------------------
Alert
The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!
Http://www.example.com/wp-content/plugins/videowhisper-video-presentation/vp/c_login.php? Room_name = room_name & acirc ;?? & Amp; gt;
Http://www.example.com/wp-content/plugins/videowhisper-video-presentation/vp/index.php? Room = & acirc ;? & #157;/& amp; gt;
Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
WordPress
---------
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:
Https://wordpress.org/plugins/videowhisper-video-presentation/
Https://plugins.trac.wordpress.org/changeset? Sfp_email = & sfph_mail = & reponame = & new = 839980% 40videowhisper-video-presentation & old = 600781% 40videowhisper-video-presentation & sfp_email = & sfph_mail = # file4
Http://codevigilant.com/disclosure/wp-plugin-videowhisper-video-presentation-a3-cross-site-scripting-xss
This article permanently updates the link address: