CVE-2014-1907 – Broadcast Live Video – Live Streaming : HTML5, WebRTC, HLS, RTSP, RTMP < 4.29.5 - Arbitrary File Read/Deletion
https://notcve.org/view.php?id=CVE-2014-1907
Multiple directory traversal vulnerabilities in the VideoWhisper Live Streaming Integration plugin before 4.29.5 for WordPress allow remote attackers to (1) read arbitrary files via a .. (dot dot) in the s parameter to ls/rtmp_login.php or (2) delete arbitrary files via a .. (dot dot) in the s parameter to ls/rtmp_logout.php. Múltiples vulnerabilidades de salto de directorio en el plugin VideoWhisper Live Streaming Integration anterior a 4.29.5 para WordPress permiten a atacantes remotos (1) leer archivos arbitrarios a través de un .. (punto punto) en el parámetro s hacia ls/rtmp_login.php o (2) eliminar archivos arbitrarios a través de un .. • https://www.exploit-db.com/exploits/31986 http://packetstormsecurity.com/files/125454 https://exchange.xforce.ibmcloud.com/vulnerabilities/91478 https://www.htbridge.com/advisory/HTB23199 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2014-1908 – Broadcast Live Video – Live Streaming < 4.29.5 - Full Path Disclosure
https://notcve.org/view.php?id=CVE-2014-1908
The error-handling feature in (1) bp.php, (2) videowhisper_streaming.php, and (3) ls/rtmp.inc.php in the VideoWhisper Live Streaming Integration plugin before 4.29.5 for WordPress allows remote attackers to obtain sensitive information via a direct request, which reveals the full path in an error message. La característica de manejo de error en (1) bp.php, (2) videowhisper_streaming.php, y (3) ls/rtmp.inc.php en el plugin VideoWhisper Live Streaming Integration anterior a 4.29.5 de WordPress permite a atacantes remotos obtener información sensible a través de una petición directa, la cual revela la ruta completa en un mensaje de error. VideoWhisper Live Streaming Integration version 4.27.3 suffers from cross site scripting, remote shell upload, information exposure, and path traversal vulnerabilities. • https://www.exploit-db.com/exploits/31986 https://www.htbridge.com/advisory/HTB23199 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2014-2297 – Broadcast Live Video – Live Streaming : HTML5, WebRTC, HLS, RTSP, RTMP <= 4.29.6 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2014-2297
Multiple cross-site scripting (XSS) vulnerabilities in the VideoWhisper Live Streaming Integration plugin 4.29.6 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) n parameter to ls/htmlchat.php or (2) bgcolor parameter to ls/index.php. NOTE: vector 1 may overlap CVE-2014-1906.4. Múltiples vulnerabilidades de Cross-Site Scripting (XSS) en el plugin VideoWhisper Live Streaming Integration 4.29 para WordPress permite que atacantes remotos inyecten scripts web o HTML arbitrarios mediante (1) el parámetro n en ls/htmlchat.php y (2) el parámetro bgcolor en ls/index.php. NOTA: el vector 1 podría solaparse con CVE-2014-1906.4. Multiple cross-site scripting (XSS) vulnerabilities in the VideoWhisper Live Streaming Integration plugin 4.29.6 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) n parameter to ls/htmlchat.php or (2) bgcolor parameter to ls/index.php. • http://www.securityfocus.com/archive/1/531773/100/0/threaded • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2014-1906 – Broadcast Live Video – Live Streaming : HTML5, WebRTC, HLS, RTSP, RTMP < 4.29.5 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2014-1906
Multiple cross-site scripting (XSS) vulnerabilities in the VideoWhisper Live Streaming Integration plugin before 4.29.5 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) m parameter to lb_status.php; (2) msg parameter to vc_chatlog.php; n parameter to (3) channel.php, (4) htmlchat.php, (5) video.php, or (6) videotext.php; (7) message parameter to lb_logout.php; or ct parameter to (8) lb_status.php or (9) v_status.php in ls/. Múltiples vulnerabilidades de XSS en el plugin VideoWhisper Live Streaming Integration anterior a 4.29.5 para WordPress permiten a atacantes remotos inyectar script Web o HTML arbitrarios a través de (1) el parámetro m hacia lb_status.php; (2) el parámetro msg hacia vc_chatlog.php; el parámetro n hacia (3) channel.php, (4) htmlchat.php, (5) video.php o (6) videotext.php; (7) el parámetro message hacia lb_logout.php o el parámetro ct hacia (8) lb_status.php o (9) v_status.php en ls/. VideoWhisper Live Streaming Integration version 4.27.3 suffers from cross site scripting, remote shell upload, information exposure, and path traversal vulnerabilities. • https://www.exploit-db.com/exploits/31986 http://packetstormsecurity.com/files/125454 https://exchange.xforce.ibmcloud.com/vulnerabilities/91477 https://www.htbridge.com/advisory/HTB23199 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2013-5714 – Broadcast Live Video – Live Streaming : HTML5, WebRTC, HLS, RTSP, RTMP <= 4.25.3 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2013-5714
Multiple cross-site scripting (XSS) vulnerabilities in ls/htmlchat.php in the VideoWhisper Live Streaming Integration plugin 4.25.3 and possibly earlier for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) name or (2) message parameter. NOTE: some of these details are obtained from third party information. Multiples vulnerabilidades cross-site scripting (XSS) en ls/htmlchar.php de la extensión para WordPress, VideoWhisper Live Streaming Integration 4.25.3 y posiblemente anteriores permite a un atacate remoto inyectar script web o HTML a discrección a través del parámetro (1) name o (2) message. NOTA: algunos de esos detalles son obtenidos de información de terceros. Multiple cross-site scripting (XSS) vulnerabilities in ls/htmlchat.php in the VideoWhisper Live Streaming Integration plugin 4.25.3 and possibly earlier for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) name or (2) message parameter. • http://archives.neohapsis.com/archives/bugtraq/2013-08/0153.html http://osvdb.org/96593 http://secunia.com/advisories/54619 http://www.iedb.ir/exploits-402.html http://www.securityfocus.com/bid/61977 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •