Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
githubGitHub Advisory DatabaseGHSA-2FCH-HV74-FGW9
HistoryApr 26, 2023 - 7:42 p.m.

Cross site scripting (XSS) in wwbn/avideo

2023-04-2619:42:30
CWE-79
GitHub Advisory Database
github.com
8
xss
vulnerability
demo.avideo.com
account takeover
admin account
JSON

Description:

While making an account in demo.avideo.com I found a parameter “?success=” which did not sanitize any symbol character properly which leads to XSS attack.

Impact:

Since there’s an Admin account on demo.avideo.com attacker can use this attack to Takeover the admin’s account

Step to Reproduce:

  1. Click the link below

https://demo.avideo.com/user?success="><img src=x onerror=alert(document.cookie)>

  1. Then XSS will be executed

Affected configurations

Vulners
Node
wwbnavideoRange<12.4
JSON