Vulnerability CVE-2014-8752


Published: 2014-12-31

Description:
Multiple cross-site scripting (XSS) vulnerabilities in view.php in JCE-Tech PHP Video Script (aka Video Niche Script) 4.0 allow remote attackers to inject arbitrary web script or HTML via the (1) video or (2) title parameter.

See advisories in our WLB2 database:
Topic
Author
Date
Low
JCE-Tech 4.0 Cross Site Scripting
Wang Jing
20.12.2014

Type:

CWE-79

(Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))

Vendor: Jce-tech
Product: Video niche script 
Version: 4.0;

CVSS2 => (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
4.3/10
2.9/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
None
Partial
None

 References:
http://www.securityfocus.com/bid/71738
http://tetraph.com/security/cves/cve-2014-8752-jce-tech-video-niche-script-xss-cross-site-scripting-security-vulnerability/
http://seclists.org/fulldisclosure/2014/Dec/84

Related CVE
CVE-2010-2461
SQL injection vulnerability in storecat.php in JCE-Tech Overstock 1 allows remote attackers to execute arbitrary SQL commands via the store parameter.
CVE-2010-2460
SQL injection vulnerability in merchant_product_list.php in JCE-Tech Shareasale Script (SASS) 1 allows remote attackers to execute arbitrary SQL commands via the mechant_id parameter.
CVE-2010-0375
SQL injection vulnerability in product_list.php in JCE-Tech PHP Calendars, downloaded 2010-01-11, allows remote attackers to execute arbitrary SQL commands via the cat parameter. NOTE: the provenance of this information is unknown; the details are o...
CVE-2010-0376
Cross-site scripting (XSS) vulnerability in product_list.php in JCE-Tech PHP Calendars, downloaded 2010-01-11, allows remote attackers to inject arbitrary web script or HTML via the cat parameter. NOTE: this issue is reportedly resultant from a forc...
CVE-2010-0380
install.php in JCE-Tech PHP Calendars, downloaded 20100121, allows remote attackers to bypass intended access restrictions and modify application settings via a direct request. NOTE: this is only a vulnerability when the administrator does not follo...
CVE-2009-3195
Multiple cross-site scripting (XSS) vulnerabilities in JCE-Tech Auction RSS Content Script 3.0 allow remote attackers to inject arbitrary web script or HTML via the id parameter to (1) rss.php and (2) search.php.
CVE-2009-3196
Cross-site scripting (XSS) vulnerability in index.php in JCE-Tech PHP Video Script allows remote attackers to inject arbitrary web script or HTML via the key parameter.
CVE-2009-3197
Cross-site scripting (XSS) vulnerability in search.php in JCE-Tech PHP Calendars Script allows remote attackers to inject arbitrary web script or HTML via the search parameter.

Copyright 2019, cxsecurity.com

 

Back to Top