WWBN AVideo managerPlaylists PlaylistOwnerUsersId parameter cross-site scripting (XSS) vulnerability

WWBN AVideo managerPlaylists PlaylistOwnerUsersId parameter cross-site scripting (XSS) vulnerability
WWBN AVideo 14.4 和 dev 版本中存在 XSS 漏洞，源于 PlaylistOwnerUsersId 参数未正确过滤和转义。攻击者可构造恶意请求执行 JavaScript 代码，导致用户数据泄露或账户接管等安全风险。 2025-7-23 23:59:7 Author: talosintelligence.com(查看原文) 阅读量:0 收藏

SUMMARY

A cross-site scripting (xss) vulnerability exists in the managerPlaylists PlaylistOwnerUsersId parameter functionality of WWBN AVideo 14.4 and dev master commit 8a8954ff. A specially crafted HTTP request can lead to arbitrary Javascript execution. An attacker can get a user to visit a webpage to trigger this vulnerability.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

WWBN AVideo 14.4
WWBN AVideo dev master commit 8a8954ff

PRODUCT URLS

AVideo - https://github.com/WWBN/AVideo

CVSSv3 SCORE

9.6 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)

DETAILS

AVideo is a web application, mostly written in PHP, that can be used to create an audio/video sharing website. It allows users to import videos from various sources, encode and share them in various ways. Users can sign up to the website in order to share videos, while viewers have anonymous access to the publicly-available contents. The platform provides plugins for features like live streaming, skins, YouTube uploads and more.

The PHP file plugin/PlayLists/managerPlaylists.php is vulnerable to an XSS issue due to missing sanitization of the PlaylistOwnerUsersId parameter:

    ...
    <li class="pull-right ">
        <form class="navbar-form form-inline input-group" role="search" id="searchFormPlaylist" method="get">
            <input type="search" id="searchPlaylist" name="searchPlaylist" placeholder="<?php echo __('Search Playlist'); ?>" class="form-control" value="<?php echo htmlspecialchars($_REQUEST['searchPlaylist'] ?? '', ENT_QUOTES, 'UTF-8'); ?>" autocomplete="off">
[1]         <input type="hidden" name="PlaylistOwnerUsersId" value="<?php echo @$_REQUEST['PlaylistOwnerUsersId']; ?>">
            <span class="input-group-append">
                <button class="btn btn-default btn-outline-secondary border-right-0 border py-2 faa-parent animated-hover" type="submit" id="buttonSearchPlaylist">
                    <i class="fas fa-search faa-shake"></i>
                </button>
            </span>
        </form>
    </li>
    ...

The PlaylistOwnerUsersId parameter is not properly sanitized before being embedded into the page contents [1], resulting in a straightforward reflected cross-site scripting (XSS) vulnerability. An attacker could exploit this flaw to execute malicious actions, such as compromising an administrator account. For instance, an attacker might deceive an administrator into clicking a crafted link that triggers the XSS attack.

TIMELINE

2025-07-08 - Vendor Disclosure
2025-07-08 - Vendor Patch Release
2025-07-24 - Public Release

Discovered by Claudio Bozzato of Cisco Talos.

文章来源: https://talosintelligence.com/vulnerability_reports/TALOS-2025-2205
如有侵权请联系:admin#unsafe.sh