WWBN AVideo Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in WWBN AVideo versions 14.4 and the development master commit 8a8954ff. The issue arises in the 'videosList' page parameter functionality, where a lack of proper input sanitization allows for the execution of arbitrary JavaScript. This vulnerability can be exploited by tricking a user into visiting a crafted webpage that triggers the XSS payload.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where an attacker can execute malicious JavaScript in the context of the user's browser. This could lead to compromising user accounts, including administrator accounts, by executing actions or stealing information such as session cookies.

Reproduction

To reproduce this vulnerability, send a crafted HTTP request to the 'videosList' page that includes a malicious script in the 'page' parameter. The absence of proper sanitization will allow the script to be executed in the user's browser.

Remediation

Users are advised to update to the patched version of WWBN AVideo. The vendor has released a patch for this vulnerability.