WWBN AVideo Stored Cross-Site Scripting Vulnerability in Live Plugin

A stored cross-site scripting vulnerability has been identified in WWBN AVideo versions through 29.0. The issue arises in the Live plugin's 'YouTube-style' view, where the live stream's key is rendered into an HTML class attribute without proper escaping. This flaw allows a user with 'canStream' privileges to inject a key containing JavaScript event handlers, which is then executed by any visitor viewing the live stream page.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected JavaScript is executed in the context of the platform's origin. This could lead to the theft of cookies and session credentials, with potential escalation to administrative privileges if an admin views the affected live stream.

Reproduction

To reproduce this vulnerability, a user must have 'canStream' rights. This can be achieved by registering an account on an AVideo installation that allows new users to stream, or by using an existing account with streaming privileges. Once authenticated, the user can inject a JavaScript payload into the live stream key via the Live plugin's save live feature. When the live stream page is accessed, the injected script will execute, demonstrating the cross-site scripting vulnerability.

Remediation

The vulnerability can be addressed by escaping the stream key before it is rendered into the HTML attribute. Additionally, a character allowlist should be enforced on the live transmissions key at the time of writing to prevent HTML metacharacters from being introduced.