WWBN AVideo Reflected Cross-Site Scripting Vulnerability in Password Unlock Feature

A reflected cross-site scripting vulnerability has been identified in WWBN AVideo versions through 26.0. The issue arises in the 'view/forbiddenPage.php' and 'view/warningPage.php' templates, where the 'unlockPassword' parameter is reflected directly into an HTML input tag without proper output encoding or sanitization. This flaw allows an attacker to craft a URL that injects arbitrary HTML attributes, including JavaScript event handlers, into the input element. When a victim clicks the link, the injected script is executed in their browser, potentially leading to session hijacking or account takeover.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where injected JavaScript is executed in the context of the user's browser. This could result in session hijacking, allowing an attacker to steal cookies and impersonate the victim, or account takeover by changing the victim's email or password through the application's account settings.

Reproduction

To reproduce this vulnerability, visit a password-protected channel that triggers the 'forbiddenPage' or 'warningPage' templates. Craft a URL with a malicious 'unlockPassword' parameter that breaks out of the value attribute of the input element. When the crafted link is clicked, the injected JavaScript will execute, demonstrating the cross-site scripting vulnerability.

Remediation

The vulnerability has been patched in the official repository. Users should update to the latest version.