Reflected Cross-Site Scripting (XSS) in Vinteo VCC

Reflected Cross-Site Scripting (XSS)
Vinteo VCC
Vulnerable Version:
version 2.36.4
Fixed Version:
version 28.1.3
CVE Number:
October 2022
D. Kiryukhin (Office Moscow) | SEQ LLC

Vendor Description

Vinteo Video Core is a software server, the core of video conferencing and communication system.
With Vinteo Video Core, you can connect up to 1,000 participants to videoconferencing simultaneously.
The solution supports advanced WebRTC technology, which allows you to connect to videoconferencing
using a browser directly and does not require the installation of specialized software.


Business Recommendation

The vendor provides a patch with new version of product and users of this product are urged to immediately upgrade to the latest version available.

SEQ LLC recommends to perform a thorough security review conducted by security professionals to identify and resolve all security issues.

Vulnerability Overview / Description

Reflected Cross-Site Scripting (CVE-2022-48020)

With reflected cross-site scripting, an attacker can inject arbitrary HTML or JavaScript code into the victim’s web browser. Once the victim clicks a malicious link, the attacker’s code is executed in the context of the victim’s web browser. The vulnerability can be used to change the contents of the displayed site, redirect to other sites or steal user credentials. Additionally, users are potential victims of browser exploits and JavaScript trojans.

Vulnerable / Tested Versions

The following version was tested and found to be vulnerable:

  • version 2.36.4

Vendor Contact Timeline

2022-10-25: Contacting vendor through email
2022-12-21: Contacting vendor through email with information about applying to MITRE


The vendor provides an updated version which should be installed immediately:

Advisory URL

EOF D. Kiryukhin / @2022