WWBN AVideo Stored Cross-Site Scripting Vulnerability in Category Descriptions

A stored cross-site scripting vulnerability has been identified in WWBN AVideo versions through 29.0. The issue arises because category descriptions are saved from user input and later displayed as raw HTML in the Gallery view. Users with the ability to create or edit categories can inject JavaScript into the category description, which is executed when another user views the corresponding Gallery or category page. This vulnerability is distinct from previously addressed XSS issues in video titles or comments.

Impact

Exploitation of this vulnerability allows for the execution of injected JavaScript in the browsers of users or administrators who view the affected Gallery or category page. This could enable an attacker to perform actions on behalf of the victim, steal same-origin data accessible to JavaScript, or misuse administrative UI functions if an administrator views the compromised category.

Reproduction

To reproduce this vulnerability, log in as a user with permission to create or edit categories. Once logged in, create or edit a category and enter a description that includes a JavaScript payload, such as an image tag with an 'onerror' event. After saving the category, assign at least one video to it. Finally, open the Gallery or category page that displays the category section. The injected JavaScript will execute, demonstrating the cross-site scripting vulnerability.

Remediation

Category descriptions should be sanitized on input using the same HTML policy applied to video descriptions, or stored as plain text. When outputting category descriptions, they should be encoded to prevent execution of injected scripts. If limited HTML is allowed, use a library like HTMLPurifier to clean the input before storage or rendering. Additionally, regression tests should be implemented to ensure category descriptions are properly handled in Gallery views.