VideoWhisper 7 Cross Site Scripting

2014-04-25T00:00:00
ID PACKETSTORM:126334
Type packetstorm
Reporter Mahmoud Ghorbanzadeh
Modified 2014-04-25T00:00:00

Description

                                        
                                            `Vulnerability title: Cross-site scripting (XSS) vulnerability in Videowhisper  
CVE: CVE-2014-2715  
Vendor: VideoWhisper  
Product: Videowhisper module for Drupal 7  
Affected version: 7  
Fixed version:   
Reported by: Mahmoud Ghorbanzadeh  
  
Details:  
  
Hello,  
I found Cross-site scripting (XSS) vulnerability in the Videowhisper module for Drupal 7 (videowhisper-7.x). The vulnerability exist at line 2 and line 4 in drupal\modules\videowhisper\vwrooms\templates\logout.tpl.php due to $_GET['module'] and $_GET['message'] variables respectively at line 347 in drupal\modules\videowhisper\vwrooms\vwrooms.module.  
  
POC: drupal/index.php?q=vwrooms/logout&module=<script>alert('XSS1')</script>&message=<script>alert('XSS2')</script>  
  
Vendor Notification: 18, Apr 2014  
  
Discovered by Mahmoud Ghorbanzadeh, in Amirkabir University of Technology's Scientific Excellence and Research Centers.  
  
Best Regards.  
`