WWBN AVideo Reflected Cross-Site Scripting Vulnerability in the Meet Plugin

A reflected cross-site scripting vulnerability has been identified in WWBN AVideo versions through 29.0. The issue resides in the Meet plugin, specifically within 'iframe.php', where user-controlled 'user' and 'pass' query parameters are echoed unescaped into a JavaScript string literal inside a <script> block. This flaw allows an attacker to execute arbitrary JavaScript in the context of the AVideo origin by crafting a malicious URL. The vulnerability is accessible without authentication if a public Meet schedule is available on the target.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where an attacker can execute malicious JavaScript in the context of the victim's browser, within the AVideo site.

Reproduction

To reproduce this vulnerability, send a crafted URL to a victim that includes the 'user' and 'pass' query parameters. The 'user' parameter should contain a payload that breaks out of the JavaScript string context, such as a closing quote followed by a semicolon and a JavaScript function call, like 'alert(1)'. If the target has a public Meet schedule with no password, the vulnerability can be exploited without authentication.

Remediation

Users are advised to update to the patched version available in the commit '3298ced2bcf92e4f3acff6ce9bde14edf42ecb5b', which includes the necessary fix.