WWBN AVideo Stored Cross-Site Scripting Vulnerability in Video Comments

A stored cross-site scripting vulnerability has been identified in WWBN AVideo versions prior to 21.0. The issue arises because the platform allows Markdown in video comments and uses Parsedown version 1.7.4 without Safe Mode enabled. This configuration permits insufficiently sanitized Markdown links to include 'javascript:' URIs as clickable links. An authenticated low-privilege attacker can exploit this by posting a comment that injects persistent JavaScript. When another user clicks the link, the injected script can execute, potentially leading to session hijacking, privilege escalation (including admin takeover), and data exfiltration.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected JavaScript is executed in the context of the user who clicks the malicious link. This could result in session hijacking, unauthorized privilege escalation, including gaining admin rights, and unauthorized access to or exfiltration of data.

Remediation

Users can upgrade to AVideo version 21.0 or later, where this vulnerability has been fixed. As an interim measure, validate and block unsafe URI schemes, such as 'javascript:', before rendering Markdown comments, and enable Parsedown Safe Mode.