VDO.Ninja Reflected Cross-Site Scripting Vulnerability
Vulnerability
A reflected Cross-Site Scripting (XSS) vulnerability has been identified in VDO.Ninja versions 28.0 prior to 28.4. The issue resides in the examples/control.html file, where the room parameter is not properly sanitized before being displayed in the DOM. This lack of validation and encoding allows attackers to inject and execute malicious scripts. The vulnerability could be exploited to execute arbitrary JavaScript in the context of authenticated users, potentially compromising authentication tokens and session data.
Impact
Exploitation of this vulnerability allows for the execution of malicious JavaScript, which could modify application behavior, redirect users, or perform actions on behalf of authenticated users.
Reproduction
To reproduce this vulnerability, navigate to examples/control.html and include a crafted room parameter that contains an image tag with an onerror event. This will trigger an alert box displaying the document cookies, demonstrating the execution of injected JavaScript.
Remediation
Users can upgrade to VDO.Ninja version 28.4 or later, where this vulnerability has been patched.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.