WWBN AVideo CDN Plugin Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in WWBN AVideo versions prior to 26.0, specifically within the CDN plugin's download buttons component. The issue arises because the 'clean_title' field of a video record is directly inserted into a JavaScript string literal without proper escaping. This flaw allows an attacker with the ability to create or modify videos to inject arbitrary JavaScript. The injected script executes in the browser of any user who visits the affected download page.

Impact

Exploitation of this vulnerability allows for the injection of malicious JavaScript that executes in the context of the user visiting the download page. This could lead to session cookie theft, credential harvesting, and performing actions on behalf of the victim within the application. The vulnerability is particularly concerning as it allows low-privilege users to target administrators.

Reproduction

To reproduce this vulnerability, log into a WWBN AVideo account with privileges to create or edit videos. Once logged in, upload a video and inject a malicious script into the 'clean_title' field by including JavaScript code, such as a script tag or a JavaScript alert command. After the video is saved, navigate to the CDN plugin's download buttons component for that video. The injected script will execute in the browser, demonstrating the cross-site scripting vulnerability.

Remediation

Users can update to WWBN AVideo version 26.0 or later, where this vulnerability has been fixed.