CVSS: 9.8EPSS: 0%CPEs: 12EXPL: 3CVE-2014-1907 – Broadcast Live Video – Live Streaming : HTML5, WebRTC, HLS, RTSP, RTMP < 4.29.5 - Arbitrary File Read/Deletion
https://notcve.org/view.php?id=CVE-2014-1907
Multiple directory traversal vulnerabilities in the VideoWhisper Live Streaming Integration plugin before 4.29.5 for WordPress allow remote attackers to (1) read arbitrary files via a .. (dot dot) in the s parameter to ls/rtmp_login.php or (2) delete arbitrary files via a .. (dot dot) in the s parameter to ls/rtmp_logout.php. Múltiples vulnerabilidades de salto de directorio en el plugin VideoWhisper Live Streaming Integration anterior a 4.29.5 para WordPress permiten a atacantes remotos (1) leer archivos arbitrarios a través de un .. (punto punto) en el parámetro s hacia ls/rtmp_login.php o (2) eliminar archivos arbitrarios a través de un .. • https://www.exploit-db.com/exploits/31986 http://packetstormsecurity.com/files/125454 https://exchange.xforce.ibmcloud.com/vulnerabilities/91478 https://www.htbridge.com/advisory/HTB23199 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.1EPSS: 0%CPEs: 11EXPL: 3CVE-2014-1906 – Broadcast Live Video – Live Streaming : HTML5, WebRTC, HLS, RTSP, RTMP < 4.29.5 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2014-1906
Multiple cross-site scripting (XSS) vulnerabilities in the VideoWhisper Live Streaming Integration plugin before 4.29.5 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) m parameter to lb_status.php; (2) msg parameter to vc_chatlog.php; n parameter to (3) channel.php, (4) htmlchat.php, (5) video.php, or (6) videotext.php; (7) message parameter to lb_logout.php; or ct parameter to (8) lb_status.php or (9) v_status.php in ls/. Múltiples vulnerabilidades de XSS en el plugin VideoWhisper Live Streaming Integration anterior a 4.29.5 para WordPress permiten a atacantes remotos inyectar script Web o HTML arbitrarios a través de (1) el parámetro m hacia lb_status.php; (2) el parámetro msg hacia vc_chatlog.php; el parámetro n hacia (3) channel.php, (4) htmlchat.php, (5) video.php o (6) videotext.php; (7) el parámetro message hacia lb_logout.php o el parámetro ct hacia (8) lb_status.php o (9) v_status.php en ls/. VideoWhisper Live Streaming Integration version 4.27.3 suffers from cross site scripting, remote shell upload, information exposure, and path traversal vulnerabilities. • https://www.exploit-db.com/exploits/31986 http://packetstormsecurity.com/files/125454 https://exchange.xforce.ibmcloud.com/vulnerabilities/91477 https://www.htbridge.com/advisory/HTB23199 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •