CVE-2014-4570 – VideoWhisper Video Presentation <= 3.25 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2014-4570
Multiple cross-site scripting (XSS) vulnerabilities in the VideoWhisper Video Presentation plugin before 3.31 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) room_name parameter to c_login.php or (2) room parameter to index.php in vp/. Múltiples vulnerabilidades de XSS en el plugin VideoWhisper Video Presentation anterior a 3.31 para WordPress permiten a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del parámetro (1) room_name en c_login.php o (2) room en index.php en vp/. The VideoWhisper Video Presentation plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'room_name' & 'room' parameters in versions up to, and including, 3.25 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. • http://codevigilant.com/disclosure/wp-plugin-videowhisper-video-presentation-a3-cross-site-scripting-xss http://www.securityfocus.com/bid/69511 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=839980%40videowhisper-video-presentation&old=600781%40videowhisper-video-presentation&sfp_email=&sfph_mail=#file4 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2014-4567 – HTML5 Webcam Microphone Recorder Forms < 1.55 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2014-4567
Cross-site scripting (XSS) vulnerability in comments/videowhisper2/r_logout.php in the Video Comments Webcam Recorder plugin 1.55, as downloaded before 20140116 for WordPress allows remote attackers to inject arbitrary web script or HTML via the message parameter. Una vulnerabilidad de tipo cross-site scripting (XSS) en el archivo comments/videowhisper2/r_logout.php en el plugin Video Comments Webcam Recorder versión 1.55, como se descargó antes de 20140116 para WordPress, permite a atacantes remotos inyectar script web o HTML arbitrario por medio del parámetro message. • http://codevigilant.com/disclosure/wp-plugin-video-comments-webcam-recorder-a3-cross-site-scripting-xss https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=839986%40video-comments-webcam-recorder&old=686438%40video-comments-webcam-recorder • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2014-4568 – Video Posts Webcam Recorder <= 1.55.4 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2014-4568
Cross-site scripting (XSS) vulnerability in posts/videowhisper/r_logout.php in the Video Posts Webcam Recorder plugin 1.55.4 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the message parameter. Vulnerabilidad de XSS en posts/videowhisper/r_logout.php en el plugin Video Posts Webcam Recorder 1.55.4 y anteriores para WordPress permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del parámetro message. • http://codevigilant.com/disclosure/wp-plugin-video-posts-webcam-recorder-a3-cross-site-scripting-xss https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=839990%40video-posts-webcam-recorder&old=686450%40video-posts-webcam-recorder&sfp_email=&sfph_mail= • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2014-2715 – VideoWhisper 7 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2014-2715
Multiple cross-site scripting (XSS) vulnerabilities in vwrooms\templates\logout.tpl.php in the VideoWhisper Webcam plugins for Drupal 7.x allow remote attackers to inject arbitrary web script or HTML via the (1) module or (2) message parameter to index.php. Múltiples vulnerabilidades de XSS en vwrooms\templates\logout.tpl.php en los plugins VideoWhisper Webcam para Drupal 7.x permiten a atacantes remotos inyectar script Web o HTML arbitrarios a través del parámetro (1) module o (2) message hacia index.php. VideoWhisper version 7 for Drupal suffers from a cross site scripting vulnerability. • http://secunia.com/advisories/58306 http://www.securityfocus.com/archive/1/531935/100/0/threaded http://www.securityfocus.com/bid/67069 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2014-1905 – Broadcast Live Video – Live Streaming : HTML5, WebRTC, HLS, RTSP, RTMP <= 4.27.4 - Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2014-1905
Unrestricted file upload vulnerability in ls/vw_snapshots.php in the VideoWhisper Live Streaming Integration plugin before 4.29.5 for WordPress allows remote attackers to execute arbitrary PHP code by uploading a file with a double extension, and then accessing the file via a direct request to a wp-content/plugins/videowhisper-live-streaming-integration/ls/snapshots/ pathname, as demonstrated by a .php.jpg filename. Vulnerabilidad en la carga de un archivo sin restricciones en ls/vw_snapshots.php en el plugin VideoWhisper Live Streaming Integration anterior a 4.29.5 de WordPress permite a atacantes remotos ejecutar código PHP arbitrario subiendo un archivo con doble extenisón, y después accediendo al archivo a través de una petición directa a wp-content/plugins/videowhisper-live-streaming-integration/ls/snapshots/ pathname, como lo demuestra el nombre de archivo .php.jpg VideoWhisper Live Streaming Integration version 4.27.3 suffers from cross site scripting, remote shell upload, information exposure, and path traversal vulnerabilities. • https://www.exploit-db.com/exploits/31986 https://www.htbridge.com/advisory/HTB23199 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-434: Unrestricted Upload of File with Dangerous Type •