*CVE-2014-8752 JCE-Tech "Video Niche Script" XSS (Cross-Site Scripting) Security Vulnerability* Exploit Title: JCE-Tech "Video Niche Script" /view.php Multiple Parameters XSS Product: "Video Niche Script" Vendor: JCE-Tech Vulnerable Versions: 4.0 Tested Version: 4.0 Advisory Publication: Nov 18, 2014 Latest Update: Nov 18, 2014 Vulnerability Type: Cross-Site Scripting [CWE-79] CVE Reference: CVE-2014-8752 Credit: Wang Jing [CCRG, Nanyang Technological University, Singapore] *Advisory Details:* *(1) Vendor URL:* http://jce-tech.com/products/ *Product Description:* "The PHP Video Script instantly creates a niche video site based on keywords users control via the admin console. The videos are displayed on users' site, but streamed from the YouTube servers." *(2) Vulnerability Details.* JCE-Tech "Video Niche Script" is vulnerable to XSS attacks. *(2.1)* The vulnerability occurs at "view.php" page with "video", "title" parameters. *References:* http://tetraph.com/security/cves/cve-2014-8752-jce-tech-video-niche-script-xss-cross-site-scripting-security-vulnerability/ https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8752