Lucene search

K
osvGoogleOSV:GHSA-2FCH-HV74-FGW9
HistoryApr 26, 2023 - 7:42 p.m.

Cross site scripting (XSS) in wwbn/avideo

2023-04-2619:42:30
Google
osv.dev
8
cross site scripting
xss attack
admin account takeover
security vulnerability
unsanitized parameter

Description:

While making an account in demo.avideo.com I found a parameter β€œ?success=” which did not sanitize any symbol character properly which leads to XSS attack.

Impact:

Since there’s an Admin account on demo.avideo.com attacker can use this attack to Takeover the admin’s account

Step to Reproduce:

  1. Click the link below

https://demo.avideo.com/user?success="><img src=x onerror=alert(document.cookie)>

  1. Then XSS will be executed