CVE-2023-30860

2023-05-0819:15:12

CWE-79

[email protected]

web.nvd.nist.gov

avideo

cve-2023-30860

video platform

open source

security vulnerability

malicious script insertion

account takeover

patch fix

8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

0.001 Low

EPSS

Percentile

34.6%

JSON

WWBN AVideo is an open source video platform. In AVideo prior to version 12.4, a normal user can make a Meeting Schedule where the user can invite another user in that Meeting, but it does not properly sanitize the malicious characters when creating a Meeting Room. This allows attacker to insert malicious scripts. Since any USER including the ADMIN can see the meeting room that was created by the attacker this can lead to cookie hijacking and takeover of any accounts. Version 12.4 contains a patch for this issue.

Affected configurations

NVD

Node

wwbnavideoRange<12.4

CPENameOperatorVersion
wwbn:avideowwbn avideolt12.4

CPE	Name	Operator	Version
wwbn:avideo	wwbn avideo	lt	12.4

CNA Affected

[
  {
    "vendor": "WWBN",
    "product": "AVideo",
    "versions": [
      {
        "version": "WWBN/AVideo stored XSS vulnerability leads to takeover of any user's account, including admin's account",
        "status": "affected"
      }
    ]
  }
]