WWBN AVideo Incomplete Cross-Site Scripting Vulnerability in ParsedownSafeWithLinks Class

A cross-site scripting (XSS) vulnerability has been identified in WWBN AVideo versions through 29.0. The issue arises from an incomplete fix in the `ParsedownSafeWithLinks` class, which fails to properly sanitize `javascript:` URLs in markdown link syntax. While the class overrides certain methods to sanitize raw HTML links, it does not address links created through markdown syntax or auto-linking, allowing for the injection of malicious JavaScript that executes when the link is clicked.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected JavaScript executes in the context of the user viewing the content. This could lead to session hijacking, as the script could steal cookies from the user.

Reproduction

To reproduce this vulnerability, log in to a WWBN AVideo account with permission to comment. Navigate to a video page and post a comment containing a markdown link with a `javascript:` URL, such as `javascript:alert(document.cookie)`. Once the comment is saved, it will be rendered as a clickable link. Clicking this link will execute the JavaScript payload in the context of the user's browser.

Remediation

Users can update to AVideo versions 29.0 or later, where this vulnerability has been patched.