WWBN AVideo videoNotFound 404ErrorMsg parameter cross-site scripting (XSS) vulnerability
WWBN AVideo 14.4及dev版本中存在跨站脚本(XSS)漏洞,源于videoNotFound页面未对404ErrorMsg参数进行过滤。攻击者可通过构造恶意链接触发漏洞,在目标页面执行任意JavaScript代码。该漏洞CVSSv3评分为9.6。 2025-7-23 23:59:7 Author: talosintelligence.com(查看原文) 阅读量:0 收藏
SUMMARY

A cross-site scripting (xss) vulnerability exists in the videoNotFound 404ErrorMsg parameter functionality of WWBN AVideo 14.4 and dev master commit 8a8954ff. A specially crafted HTTP request can lead to arbitrary Javascript execution. An attacker can get a user to visit a webpage to trigger this vulnerability.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

WWBN AVideo 14.4
WWBN AVideo dev master commit 8a8954ff

PRODUCT URLS

AVideo - https://github.com/WWBN/AVideo

CVSSv3 SCORE

9.6 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)

DETAILS

AVideo is a web application, mostly written in PHP, that can be used to create an audio/video sharing website. It allows users to import videos from various sources, encode and share them in various ways. Users can sign up to the website in order to share videos, while viewers have anonymous access to the publicly-available contents. The platform provides plugins for features like live streaming, skins, YouTube uploads and more.

The PHP file view/videoNotFound.php is vulnerable to an XSS issue due to missing sanitization of the 404ErrorMsg parameter:

    ...
    <script>
        $(function() {
            <?php
[1]         if (!empty($_REQUEST['404ErrorMsg'])) {
                echo "avideoAlertInfo(\"{$_REQUEST['404ErrorMsg']}\");";
            }
            ?>
        });
    </script>
    ...

The 404ErrorMsg parameter is not properly sanitized before being embedded into the page contents [1], resulting in a straightforward reflected cross-site scripting (XSS) vulnerability. An attacker could exploit this flaw to execute malicious actions, such as compromising an administrator account. For instance, an attacker might deceive an administrator into clicking a crafted link that triggers the XSS attack.

TIMELINE

2025-07-08 - Vendor Disclosure
2025-07-08 - Vendor Patch Release
2025-07-24 - Public Release

Discovered by Claudio Bozzato of Cisco Talos.


文章来源: https://talosintelligence.com/vulnerability_reports/TALOS-2025-2207
如有侵权请联系:admin#unsafe.sh