GHSA-RQP3-GF5H-MRQX WWBN AVideo has Stored XSS via Malicious EPG XML Program Titles in AVideo EPG Page

Summary AVideo's EPG Electronic Program Guide feature parses XML from user-controlled URLs and renders programme titles directly into HTML without any sanitization or escaping. A user with upload permission can set a video's epglink to a malicious XML file whose elements contain JavaScript. This...