[CVE-2014-2715] Cross-site scripting (XSS) vulnerability in Videowhisper

2014-05-04T00:00:00
ID SECURITYVULNS:DOC:30559
Type securityvulns
Reporter Securityvulns
Modified 2014-05-04T00:00:00

Description

Vulnerability title: Cross-site scripting (XSS) vulnerability in Videowhisper CVE: CVE-2014-2715 Vendor: VideoWhisper Product: Videowhisper module for Drupal 7 Affected version: 7 Fixed version: Reported by: Mahmoud Ghorbanzadeh

Details:

Hello, I found Cross-site scripting (XSS) vulnerability in the Videowhisper module for Drupal 7 (videowhisper-7.x). The vulnerability exist at line 2 and line 4 in drupal\modules\videowhisper\vwrooms\templates\logout.tpl.php due to $_GET['module'] and $_GET['message'] variables respectively at line 347 in drupal\modules\videowhisper\vwrooms\vwrooms.module.

POC: drupal/index.php?q=vwrooms/logout&module=<script>alert('XSS1')</script>&message=<script>alert('XSS2')</script>

Vendor Notification: 18, Apr 2014

Discovered by Mahmoud Ghorbanzadeh, in Amirkabir University of Technology's Scientific Excellence and Research Centers.

Best Regards.