ID PACKETSTORM:125732Type packetstormReporter Mahmoud GhorbanzadehModified 2014-03-15T00:00:00
Description
`Hello,
Cross-site
scripting (XSS) vulnerability in the Youtube Gallery 3.4.0 component for Joomla! allows remote attackers to inject arbitrary web
script or HTML via the videofile parameter to /includes/flvthumbnail.php.
POC:
http://SiteAddress/joomla/components/com_youtubegallery/includes/flvthumbnail.php?videofile=<script>alert('XSS')</script>
`
{"edition": 1, "title": "Joomla Youtube Gallery 3.4.0 Cross Site Scripting", "bulletinFamily": "exploit", "published": "2014-03-15T00:00:00", "lastseen": "2016-12-05T22:13:08", "history": [], "modified": "2014-03-15T00:00:00", "href": "https://packetstormsecurity.com/files/125732/Joomla-Youtube-Gallery-3.4.0-Cross-Site-Scripting.html", "hash": "ffdd249a89c57ee1c6a4a41a5923bfc212163f0317a0455d2cf5316ac5a9a72e", "viewCount": 4, "sourceHref": "https://packetstormsecurity.com/files/download/125732/joomlayoutubegallery-xss.txt", "reporter": "Mahmoud Ghorbanzadeh", "cvss": {"vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/", "score": 4.3}, "description": "", "type": "packetstorm", "hashmap": [{"key": "bulletinFamily", "hash": "708697c63f7eb369319c6523380bdf7a"}, {"key": "cvelist", "hash": "2aa0d696430f1d1da241270a3d67ee5e"}, {"key": "cvss", "hash": "6e9bdd2021503689a2ad9254c9cdf2b3"}, {"key": "description", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "href", "hash": "5ef6e6c838d6d1d5fac8dc945cba52f1"}, {"key": "modified", "hash": "509c0fbdd9053cb9e3614791690a89e4"}, {"key": "objectVersion", "hash": "56765472680401499c79732468ba4340"}, {"key": "published", "hash": "509c0fbdd9053cb9e3614791690a89e4"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "28cd68c7213433de94188530e1ddda45"}, {"key": "sourceData", "hash": "b2b2c1fba44d5e29568f80a96ef89e11"}, {"key": "sourceHref", "hash": "62eceae358e7482f6487e148e7124b96"}, {"key": "title", "hash": "a46ecef65781ba18ac529d82493e7bee"}, {"key": "type", "hash": "6466ca3735f647eeaed965d9e71bd35d"}], "references": [], "objectVersion": "1.2", "enchantments": {"vulnersScore": 4.3}, "sourceData": "`Hello, \n \nCross-site \nscripting (XSS) vulnerability in the Youtube Gallery 3.4.0 component for Joomla! allows remote attackers to inject arbitrary web \nscript or HTML via the videofile parameter to /includes/flvthumbnail.php. \n \nPOC: \nhttp://SiteAddress/joomla/components/com_youtubegallery/includes/flvthumbnail.php?videofile=<script>alert('XSS')</script> \n`\n", "cvelist": ["CVE-2013-5956"], "id": "PACKETSTORM:125732"}
{"result": {"cve": [{"id": "CVE-2013-5956", "type": "cve", "title": "CVE-2013-5956", "description": "Cross-site scripting (XSS) vulnerability in includes/flvthumbnail.php in the Youtube Gallery (com_youtubegallery) component 3.4.0 for Joomla! allows remote attackers to inject arbitrary web script or HTML via the videofile parameter.", "published": "2014-04-25T10:15:30", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5956", "cvelist": ["CVE-2013-5956"], "lastseen": "2016-09-03T19:05:42"}], "openvas": [{"id": "OPENVAS:1361412562310804336", "type": "openvas", "title": "Joomla Component Youtube Gallery Cross Site Scripting Vulnerability", "description": "This host is installed with Joomla! component youtube gallery and is prone to\ncross site scripting vulnerability.", "published": "2014-03-17T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310804336", "cvelist": ["CVE-2013-5956"], "lastseen": "2017-08-03T10:49:12"}]}}
