WWBN AVideo Parsedown Link Sanitization Bypass Leading to Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in WWBN AVideo versions through 26.0. The issue arises from a bypass in the custom 'ParsedownSafeWithLinks' class, which was introduced as a fix for a previous vulnerability. This class is supposed to sanitize raw HTML links and images in comments, but it disables Parsedown's 'safeMode', which normally filters out unsafe 'javascript:' URLs. As a result, an attacker can exploit this by injecting markdown links that include 'javascript:' URIs, bypassing the intended sanitization and injecting malicious scripts that are executed when the comment is viewed.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the comment. This could lead to session hijacking, as the attacker could steal cookies from users who click on the malicious link, including those of admin users.

Reproduction

To reproduce this vulnerability, log in as a user with permission to comment. Navigate to any video page and post a comment containing a markdown link that includes a 'javascript:' URL, such as one that alerts document cookies. Once the comment is saved, it will be rendered as a clickable link. Clicking this link will execute the JavaScript payload, demonstrating the cross-site scripting vulnerability.

Remediation

Users can update to the patched version of WWBN AVideo, which is available in the GitHub repository.