CVE-2014-1907 – Broadcast Live Video – Live Streaming : HTML5, WebRTC, HLS, RTSP, RTMP < 4.29.5 - Arbitrary File Read/Deletion
https://notcve.org/view.php?id=CVE-2014-1907
Multiple directory traversal vulnerabilities in the VideoWhisper Live Streaming Integration plugin before 4.29.5 for WordPress allow remote attackers to (1) read arbitrary files via a .. (dot dot) in the s parameter to ls/rtmp_login.php or (2) delete arbitrary files via a .. (dot dot) in the s parameter to ls/rtmp_logout.php. Múltiples vulnerabilidades de salto de directorio en el plugin VideoWhisper Live Streaming Integration anterior a 4.29.5 para WordPress permiten a atacantes remotos (1) leer archivos arbitrarios a través de un .. (punto punto) en el parámetro s hacia ls/rtmp_login.php o (2) eliminar archivos arbitrarios a través de un .. • https://www.exploit-db.com/exploits/31986 http://packetstormsecurity.com/files/125454 https://exchange.xforce.ibmcloud.com/vulnerabilities/91478 https://www.htbridge.com/advisory/HTB23199 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2014-1906 – Broadcast Live Video – Live Streaming : HTML5, WebRTC, HLS, RTSP, RTMP < 4.29.5 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2014-1906
Multiple cross-site scripting (XSS) vulnerabilities in the VideoWhisper Live Streaming Integration plugin before 4.29.5 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) m parameter to lb_status.php; (2) msg parameter to vc_chatlog.php; n parameter to (3) channel.php, (4) htmlchat.php, (5) video.php, or (6) videotext.php; (7) message parameter to lb_logout.php; or ct parameter to (8) lb_status.php or (9) v_status.php in ls/. Múltiples vulnerabilidades de XSS en el plugin VideoWhisper Live Streaming Integration anterior a 4.29.5 para WordPress permiten a atacantes remotos inyectar script Web o HTML arbitrarios a través de (1) el parámetro m hacia lb_status.php; (2) el parámetro msg hacia vc_chatlog.php; el parámetro n hacia (3) channel.php, (4) htmlchat.php, (5) video.php o (6) videotext.php; (7) el parámetro message hacia lb_logout.php o el parámetro ct hacia (8) lb_status.php o (9) v_status.php en ls/. VideoWhisper Live Streaming Integration version 4.27.3 suffers from cross site scripting, remote shell upload, information exposure, and path traversal vulnerabilities. • https://www.exploit-db.com/exploits/31986 http://packetstormsecurity.com/files/125454 https://exchange.xforce.ibmcloud.com/vulnerabilities/91477 https://www.htbridge.com/advisory/HTB23199 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2013-5714 – Broadcast Live Video – Live Streaming : HTML5, WebRTC, HLS, RTSP, RTMP <= 4.25.3 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2013-5714
Multiple cross-site scripting (XSS) vulnerabilities in ls/htmlchat.php in the VideoWhisper Live Streaming Integration plugin 4.25.3 and possibly earlier for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) name or (2) message parameter. NOTE: some of these details are obtained from third party information. Multiples vulnerabilidades cross-site scripting (XSS) en ls/htmlchar.php de la extensión para WordPress, VideoWhisper Live Streaming Integration 4.25.3 y posiblemente anteriores permite a un atacate remoto inyectar script web o HTML a discrección a través del parámetro (1) name o (2) message. NOTA: algunos de esos detalles son obtenidos de información de terceros. Multiple cross-site scripting (XSS) vulnerabilities in ls/htmlchat.php in the VideoWhisper Live Streaming Integration plugin 4.25.3 and possibly earlier for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) name or (2) message parameter. • http://archives.neohapsis.com/archives/bugtraq/2013-08/0153.html http://osvdb.org/96593 http://secunia.com/advisories/54619 http://www.iedb.ir/exploits-402.html http://www.securityfocus.com/bid/61977 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •