CVE-2023-25699 – WordPress VideoWhisper Live Streaming Integration plugin <= 5.5.15 - Remote Code Execution (RCE)
https://notcve.org/view.php?id=CVE-2023-25699
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in VideoWhisper.Com VideoWhisper Live Streaming Integration allows OS Command Injection.This issue affects VideoWhisper Live Streaming Integration: from n/a through 5.5.15. La neutralización inadecuada de elementos especiales utilizados en una vulnerabilidad de comando del sistema operativo ('inyección de comando del sistema operativo') en VideoWhisper.Com VideoWhisper Live Streaming Integration permite la inyección de comandos del sistema operativo. Este problema afecta la integración de transmisión en vivo de VideoWhisper: desde n/a hasta 5.5.15. The Live Streaming - Broadcast Live Video Plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 5.5.15. This allows unauthenticated attackers to execute code on the server. • https://patchstack.com/database/vulnerability/videowhisper-live-streaming-integration/wordpress-broadcast-live-video-live-streaming-html5-webrtc-hls-rtsp-rtmp-plugin-5-5-15-remote-code-execution-rce?_s_id=cve • CWE-20: Improper Input Validation CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVE-2014-4569 – Broadcast Live Video – Live Streaming < 4.27.4 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2014-4569
Cross-site scripting (XSS) vulnerability in ls/vv_login.php in the VideoWhisper Live Streaming Integration plugin 4.27.2 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the room_name parameter. Vulnerabilidad de XSS en ls/vv_login.php en el plugin VideoWhisper Live Streaming Integration 4.27.2 y anteriores para WordPress permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del parámetro room_name. • http://codevigilant.com/disclosure/wp-plugin-videowhisper-live-streaming-integration-a3-cross-site-scripting-xss http://www.securityfocus.com/bid/68321 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=833654%40videowhisper-live-streaming-integration&old=833649%40videowhisper-live-streaming-integration&sfp_email=&sfph_mail= • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2014-1905 – Broadcast Live Video – Live Streaming : HTML5, WebRTC, HLS, RTSP, RTMP <= 4.27.4 - Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2014-1905
Unrestricted file upload vulnerability in ls/vw_snapshots.php in the VideoWhisper Live Streaming Integration plugin before 4.29.5 for WordPress allows remote attackers to execute arbitrary PHP code by uploading a file with a double extension, and then accessing the file via a direct request to a wp-content/plugins/videowhisper-live-streaming-integration/ls/snapshots/ pathname, as demonstrated by a .php.jpg filename. Vulnerabilidad en la carga de un archivo sin restricciones en ls/vw_snapshots.php en el plugin VideoWhisper Live Streaming Integration anterior a 4.29.5 de WordPress permite a atacantes remotos ejecutar código PHP arbitrario subiendo un archivo con doble extenisón, y después accediendo al archivo a través de una petición directa a wp-content/plugins/videowhisper-live-streaming-integration/ls/snapshots/ pathname, como lo demuestra el nombre de archivo .php.jpg VideoWhisper Live Streaming Integration version 4.27.3 suffers from cross site scripting, remote shell upload, information exposure, and path traversal vulnerabilities. • https://www.exploit-db.com/exploits/31986 https://www.htbridge.com/advisory/HTB23199 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-434: Unrestricted Upload of File with Dangerous Type •
CVE-2014-1908 – Broadcast Live Video – Live Streaming < 4.29.5 - Full Path Disclosure
https://notcve.org/view.php?id=CVE-2014-1908
The error-handling feature in (1) bp.php, (2) videowhisper_streaming.php, and (3) ls/rtmp.inc.php in the VideoWhisper Live Streaming Integration plugin before 4.29.5 for WordPress allows remote attackers to obtain sensitive information via a direct request, which reveals the full path in an error message. La característica de manejo de error en (1) bp.php, (2) videowhisper_streaming.php, y (3) ls/rtmp.inc.php en el plugin VideoWhisper Live Streaming Integration anterior a 4.29.5 de WordPress permite a atacantes remotos obtener información sensible a través de una petición directa, la cual revela la ruta completa en un mensaje de error. VideoWhisper Live Streaming Integration version 4.27.3 suffers from cross site scripting, remote shell upload, information exposure, and path traversal vulnerabilities. • https://www.exploit-db.com/exploits/31986 https://www.htbridge.com/advisory/HTB23199 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2014-2297 – Broadcast Live Video – Live Streaming : HTML5, WebRTC, HLS, RTSP, RTMP <= 4.29.6 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2014-2297
Multiple cross-site scripting (XSS) vulnerabilities in the VideoWhisper Live Streaming Integration plugin 4.29.6 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) n parameter to ls/htmlchat.php or (2) bgcolor parameter to ls/index.php. NOTE: vector 1 may overlap CVE-2014-1906.4. Múltiples vulnerabilidades de Cross-Site Scripting (XSS) en el plugin VideoWhisper Live Streaming Integration 4.29 para WordPress permite que atacantes remotos inyecten scripts web o HTML arbitrarios mediante (1) el parámetro n en ls/htmlchat.php y (2) el parámetro bgcolor en ls/index.php. NOTA: el vector 1 podría solaparse con CVE-2014-1906.4. Multiple cross-site scripting (XSS) vulnerabilities in the VideoWhisper Live Streaming Integration plugin 4.29.6 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) n parameter to ls/htmlchat.php or (2) bgcolor parameter to ls/index.php. • http://www.securityfocus.com/archive/1/531773/100/0/threaded • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •