{"id":126,"date":"2023-05-11T16:51:29","date_gmt":"2023-05-11T13:51:29","guid":{"rendered":"https:\/\/seq.team\/?p=126"},"modified":"2025-12-02T15:14:30","modified_gmt":"2025-12-02T12:14:30","slug":"reflected-cross-site-scripting-xss-in-vinteo-vcc","status":"publish","type":"post","link":"https:\/\/seq.team\/en\/blog\/reflected-cross-site-scripting-xss-in-vinteo-vcc\/","title":{"rendered":"Reflected Cross-Site Scripting (XSS) in Vinteo VCC"},"content":{"rendered":"\n<figure class=\"wp-block-table\"><table><tbody><tr><td>Title:<br>Reflected Cross-Site Scripting (XSS)<\/td><td>Product:<br>Vinteo VCC<\/td><td>Vulnerable Version:<br>version 2.36.4<\/td><td>Fixed Version:<br>version 28.1.3<\/td><\/tr><tr><td>CVE Number:<br><a rel=\"noreferrer noopener\" href=\"https:\/\/web.nvd.nist.gov\/view\/vuln\/detail?vulnId=CVE-2022-48020\" target=\"_blank\">CVE-2022-48020<\/a><\/td><td>Impact:<br>medium<\/td><td>Homepage:<br>https:\/\/vinteo.com\/en\/<\/td><td>Found:<br>October 2022<\/td><\/tr><tr><td>By:<br>D. Kiryukhin (Office Moscow) | SEQ LLC<\/td><td><\/td><td><\/td><td><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Vendor Description<\/h2>\n\n\n\n<p>Vinteo Video Core is a software server, the core of video conferencing and communication system.<br>With Vinteo Video Core, you can connect up to 1,000 participants to videoconferencing simultaneously.<br>The solution supports advanced WebRTC technology, which allows you to connect to videoconferencing<br>using a browser directly and does not require the installation of specialized software.<\/p>\n\n\n\n<p>Source: <a href=\"https:\/\/vinteo.com\/en\/vinteo-solutions\/vinteo-video-core\">https:\/\/vinteo.com\/en\/vinteo-solutions\/vinteo-video-core<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Business Recommendation<\/h2>\n\n\n\n<p>The vendor provides a patch with new version of product and users of this product are urged to immediately upgrade to the latest version available.<\/p>\n\n\n\n<p>SEQ LLC recommends to perform a thorough security review conducted by security professionals to identify and resolve all security issues.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Vulnerability Overview \/ Description<\/h2>\n\n\n\n<p>Reflected Cross-Site Scripting (CVE-2022-48020)<\/p>\n\n\n\n<p>With reflected cross-site scripting, an attacker can inject arbitrary HTML or JavaScript code into the victim&#8217;s web browser. Once the victim clicks a malicious link, the attacker&#8217;s code is executed in the context of the victim&#8217;s web browser. The vulnerability can be used to change the contents of the displayed site, redirect to other sites or steal user credentials. Additionally, users are potential victims of browser exploits and JavaScript trojans.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Vulnerable \/ Tested Versions<\/h2>\n\n\n\n<p>The following version was tested and found to be vulnerable:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>version 2.36.4<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Vendor Contact Timeline<\/h2>\n\n\n\n<p>2022-10-25: Contacting vendor through email<br>2022-12-21: Contacting vendor through email with information about applying to MITRE<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Solution<\/h2>\n\n\n\n<p>The vendor provides an updated version which should be installed immediately:<\/p>\n\n\n\n<p><a href=\"https:\/\/vinteo.com\/ru\/news\/463-obnovlenie-bezopasnosti-servera-vks-vinteo-2\">https:\/\/vinteo.com\/ru\/news\/463-obnovlenie-bezopasnosti-servera-vks-vinteo-2<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Advisory URL<\/h2>\n\n\n\n<p><a href=\"https:\/\/seq.team\/en\/blog\/reflected-cross-site-scripting-xss-in-vinteo-vcc\/\">https:\/\/seq.team\/en\/blog\/reflected-cross-site-scripting-xss-in-vinteo-vcc\/<\/a><\/p>\n\n\n\n<p>EOF D. Kiryukhin \/ @2022<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Title:Reflected Cross-Site Scripting (XSS) Product:Vinteo VCC Vulnerable Version:version 2.36.4 Fixed Version:version 28.1.3 CVE Number:CVE-2022-48020 Impact:medium Homepage:https:\/\/vinteo.com\/en\/ Found:October 2022 By:D. Kiryukhin (Office Moscow) | SEQ LLC Vendor Description Vinteo Video Core is a software server, the core of video conferencing and communication system.With Vinteo Video Core, you can connect up to 1,000 participants to videoconferencing simultaneously.The [&hellip;]<\/p>\n","protected":false},"author":5,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-126","post","type-post","status-publish","format-standard","hentry","category-blog"],"translation":{"provider":"WPGlobus","version":"3.0.0","language":"en","enabled_languages":["ru","en"],"languages":{"ru":{"title":true,"content":true,"excerpt":false},"en":{"title":false,"content":false,"excerpt":false}}},"_links":{"self":[{"href":"https:\/\/seq.team\/en\/wp-json\/wp\/v2\/posts\/126","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/seq.team\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/seq.team\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/seq.team\/en\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/seq.team\/en\/wp-json\/wp\/v2\/comments?post=126"}],"version-history":[{"count":6,"href":"https:\/\/seq.team\/en\/wp-json\/wp\/v2\/posts\/126\/revisions"}],"predecessor-version":[{"id":538,"href":"https:\/\/seq.team\/en\/wp-json\/wp\/v2\/posts\/126\/revisions\/538"}],"wp:attachment":[{"href":"https:\/\/seq.team\/en\/wp-json\/wp\/v2\/media?parent=126"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/seq.team\/en\/wp-json\/wp\/v2\/categories?post=126"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/seq.team\/en\/wp-json\/wp\/v2\/tags?post=126"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}