WWBN AVideo YPTSocket Plugin DOM-Based Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in the WWBN AVideo platform, specifically within the YPTSocket plugin's caller feature. This issue affects versions through 26.0. The vulnerability arises because incoming call notifications are rendered using the jQuery Toast Plugin, which directly incorporates the caller's display name as raw HTML. An attacker can exploit this by setting their display name to include an XSS payload, which is then executed in the browser of any online user receiving the call notification. The exploitation requires no interaction from the victim, other than being connected to the WebSocket.

Impact

Exploitation of this vulnerability leads to a zero-click stored cross-site scripting, where the injected script executes in the context of the victim's browser. This could allow an attacker to steal session cookies, impersonate the victim, and if the victim is an administrator, gain full control over the platform. Additionally, the XSS payload could be used to create a self-propagating worm by calling other online users.

Reproduction

To reproduce this vulnerability, connect a malicious WebSocket client to the AVideo WebSocket server. Send a call message with the 'from_identification' field containing an XSS payload, such as an image tag with an 'onerror' event. Ensure that a victim user is online and connected to the WebSocket. When the call notification is received, the XSS payload will execute in the victim's browser without any interaction required.

Remediation

HTML-escape the heading value before passing it to the jQuery Toast Plugin to prevent the execution of embedded HTML or script content.