Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:28714
HistoryOct 30, 2012 - 12:00 a.m.

Cross-Site Scripting vulnerability in CorePlayer

2012-10-3000:00:00
vulners.com
6
JSON

Hello 3APA3A!

I want to warn you about Cross-Site Scripting vulnerability in CorePlayer.

This is the same flash video player, which was used at online voting translations - today, 28.10.2012, on parliamentary elections in Ukraine and earlier this year on presidential elections in Russia.

Concerning elections in Ukraine. At spending 993.6 million gryvnas (approx. $124.2 million) for webcam setup (including development of web site for online translations), they haven't found money for security.

Affected products:

Vulnerable are CorePlayer 4.0.6 and previous versions. At web site webvybory2012.ru version 1.3.2 is used and at web site vybory2012.gov.ua version 4.0.6 is used.

Details:

XSS (WASC-08):

http://site/core_player.swf?callback=alert(document.cookie)

Examples:

http://vybory2012.gov.ua/js/elections/lib/core-player/build/core_player.swf?callback=alert(document.cookie)

http://webvybory2012.ru/flash/core-player.swf?callback=alert(document.cookie)

I mentioned about this vulnerability at my site (http://websecurity.com.ua/6117/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

JSON