WWBN AVideo Stored Cross-Site Scripting Vulnerability in EPG Feature

A stored cross-site scripting vulnerability has been identified in WWBN AVideo versions through 26.0. The issue arises in the Electronic Program Guide (EPG) feature, which parses XML from user-controlled URLs and renders program titles into HTML without proper sanitization. A user with upload permissions can exploit this by setting a video's EPG link to a malicious XML file containing JavaScript in the title elements. This JavaScript executes in the browsers of unauthenticated visitors to the public EPG page, potentially leading to session hijacking and account takeover.

Impact

Exploitation of this vulnerability allows for session hijacking, where an attacker's cookies and session tokens are stolen. If an admin's session is hijacked, it could result in full control over the AVideo platform. The vulnerability is persistent, as the injected XSS payload is cached server-side and executed for every visitor to the EPG page, which is publicly accessible without authentication.

Reproduction

To reproduce this vulnerability, first upload a video with a malicious EPG link pointing to an XML file hosted on an attacker-controlled server. This XML file should contain a JavaScript payload in the title element. Once the video is uploaded, any unauthenticated visitor to the EPG page will trigger the execution of the JavaScript payload, exploiting the cross-site scripting vulnerability.

Remediation

Users are advised to update to AVideo version 29.0, where this vulnerability has been patched. In the patched version, program titles are properly escaped before being rendered in HTML, preventing the execution of malicious JavaScript.