WWBN AVideo Stored Cross-Site Scripting Vulnerability via Unanchored Duration Regex

A stored cross-site scripting vulnerability has been identified in WWBN AVideo versions 29.0 and below. The issue arises in the `isValidDuration()` function within `objects/video.php`, where the regular expression for validating video duration does not properly anchor the end of the string. This flaw allows arbitrary HTML or JavaScript to be appended after a valid duration prefix. The crafted duration is saved in the database and later rendered without proper HTML escaping on trending pages, playlist pages, and video gallery thumbnails.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the affected video. This could lead to session hijacking, account takeover, phishing attacks, or the spread of the XSS payload to other users.

Reproduction

To reproduce this vulnerability, authenticate as a user with upload permissions and obtain a `video_id_hash` for a video. Then, send a POST request to `objects/aVideoEncoderReceiveImage.json.php` with a crafted `duration` parameter that includes a valid duration prefix followed by injected HTML, such as an image tag with an `onerror` event. The `isValidDuration()` function will incorrectly validate the duration, allowing the payload to be stored. Finally, visit a trending page or playlist that includes the video to trigger the injected script.

Remediation

The vulnerability can be fixed by anchoring the regular expression in the `isValidDuration()` function to ensure it only accepts properly formatted durations. Additionally, all output functions that render the duration should be updated to HTML-escape the content before displaying it.