Lucene search

K
githubGitHub Advisory DatabaseGHSA-2FCH-HV74-FGW9
HistoryApr 26, 2023 - 7:42 p.m.

Cross site scripting (XSS) in wwbn/avideo

2023-04-2619:42:30
CWE-79
GitHub Advisory Database
github.com
8
xss
vulnerability
demo.avideo.com
account takeover
admin account

Description:

While making an account in demo.avideo.com I found a parameter β€œ?success=” which did not sanitize any symbol character properly which leads to XSS attack.

Impact:

Since there’s an Admin account on demo.avideo.com attacker can use this attack to Takeover the admin’s account

Step to Reproduce:

  1. Click the link below

https://demo.avideo.com/user?success="><img src=x onerror=alert(document.cookie)>

  1. Then XSS will be executed

Affected configurations

Vulners
Node
wwbnavideoRange<12.4
CPENameOperatorVersion
wwbn/avideolt12.4