WWBN AVideo HTML Injection Vulnerability in Email Notification System Allows Phishing

A vulnerability in WWBN AVideo versions through 29.0 allows authenticated users with upload permissions to inject arbitrary HTML into email notifications sent to their channel subscribers. The issue arises in the 'objects/notifySubscribers.json.php' file, where the 'message' POST parameter is passed directly to the 'sendSiteEmail()' function without any HTML sanitization or encoding. This unsanitized HTML is then rendered as an email using PHPMailer's 'msgHTML()' method. As a result, an attacker can broadcast phishing links, tracking pixels, or UI spoofing elements to up to 10,000 subscribers per request. The emails are sent from the platform's contact address, disguised as official communications, and include the site's logo and title.

Impact

Exploitation of this vulnerability allows authenticated uploaders to use the platform's email system to send phishing messages to their subscribers, appearing as trusted communications. This could lead to credential theft or other malicious actions, especially if the recipient has previously received legitimate emails from the same address.

Reproduction

To reproduce this vulnerability, an authenticated user with upload permissions can send a POST request to 'objects/notifySubscribers.json.php' with an injected HTML message. The request must include a 'Referer' header that matches the platform's origin. Once the message is sent, all subscribers on the channel will receive the email with the injected HTML, such as phishing links or tracking pixels.

Remediation

Sanitize or encode the 'message' POST parameter before it is processed by PHPMailer. This can be done by stripping all HTML and converting the message to plain text, or by using a trusted HTML sanitizer to allow only a limited set of HTML elements. Additionally, implement measures such as requiring a real anti-CSRF token, adding rate limits, and including an unsubscribe option in the email notifications.