|
Description
|
|
Two vulnerabilities have been reported in VideoWhisper Video Conference, which can be exploited by malicious people to conduct cross-site scripting attacks and disclose potentially sensitive information.
1) Input passed via the "s" GET parameter to rtmp_login.php is not properly verified before being used to read files. This can be exploited to disclose the contents of arbitrary files via directory traversal sequences.
2) Input passed via the "message" GET parameter to vc_logout.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
|
