Skip to content

Cross site scripting (XSS) in wwbn/avideo

High severity GitHub Reviewed Published Apr 26, 2023 in WWBN/AVideo • Updated Apr 26, 2023

Package

composer wwbn/avideo (Composer)

Affected versions

< 12.4

Patched versions

12.4

Description

Description:

While making an account in demo.avideo.com I found a parameter "?success=" which did not sanitize any symbol character properly which leads to XSS attack.

Impact:

Since there's an Admin account on demo.avideo.com attacker can use this attack to Takeover the admin's account

Step to Reproduce:

  1. Click the link below

https://demo.avideo.com/user?success="><img src=x onerror=alert(document.cookie)>

  1. Then XSS will be executed

References

@DanielnetoDotCom DanielnetoDotCom published to WWBN/AVideo Apr 26, 2023
Published to the GitHub Advisory Database Apr 26, 2023
Reviewed Apr 26, 2023
Last updated Apr 26, 2023

Severity

High

Weaknesses

CVE ID

No known CVE

GHSA ID

GHSA-2fch-hv74-fgw9

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.