CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
55.4%
CVE-2022-26842
A reflected cross-site scripting (xss) vulnerability exists in the charts tab selection functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to arbitrary Javascript execution. An attacker can get an authenticated user to send a crafted HTTP request to trigger this vulnerability.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
WWBN AVideo 11.6
WWBN AVideo dev master commit 3f7c0364
AVideo - https://github.com/WWBN/AVideo
9.6 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
CWE-79 - Improper Neutralization of Input During Web Page Generation (βCross-site Scriptingβ)
AVideo is a web application, mostly written in PHP, that can be used to create an audio/video sharing website. It allows users to import videos from various sources, encode and share them in various ways. Users can sign up to the website in order to share videos, while viewers have anonymous access to the publicly-available contents. The platform provides plugins for features like live streaming, skins, YouTube uploads and more.
The PHP file view/charts.php
is a dashboard that shows several charts about the videos published for the current logged-in user.
...
<body class="<?php echo $global['bodyClass']; ?>">
<?php
include $global['systemRootPath'] . 'view/include/navbar.php';
include $global['systemRootPath'] . 'view/charts_body.php'; // [1]
include_once $global['systemRootPath'] . 'view/include/footer.php';
?>
</body>
...
charts.php
includes view/charts_body.php
[1] which shows the body of the page:
...
<ul> // [2]
<li><a href="#dashboard"><i></i> <?php echo __("Dashboard"); ?></a></li>
<li><a href="#myVideosReport"><i></i> <?php echo __("My Videos"); ?></a></li>
<li><a href="#menu1"><i></i> <i></i> <?php echo __("Video views - per Channel"); ?></a></li>
<li><a href="#menu2"><i></i> <i></i> <?php echo __("Comment thumbs up - per Person"); ?></a></li>
<li><a href="#menu3"><i></i> <i></i> <?php echo __("Video thumbs up - per Channel"); ?></a></li>
<?php echo AVideoPlugin::getChartTabs(); ?>
</ul>
...
<script type="text/javascript">
$(document).ready(function () { // [3]
<?php if (!empty($_GET['jump'])) { ?>
$('#<?php echo $_GET['jump']; ?>').click();
<?php } ?>
});
</script>
The page has a navigation bar shown as tabs [2], and it also has a Javascript function that is used to select a specific tab at page load, depending on the value of the jump
GET parameter. Itβs supposed to be used with a request like https://192.168.200/view/charts.php?jump=commentthumbs
for selecting the comments tab.
The jump
parameter is however not sanitized, leading to a straightforward reflected cross-site scripting issue (XSS). This can be used by an attacker, in the worst case, to take over an administrator account, for example by tricking an administrator into clicking on a link that triggers the XSS.
The XSS can be triggered with a request like https://192.168.200/view/charts.php?jump=x%27);alert(1);//
. It must be performed as a logged-in user.
Vendor confirms issues fixed on July 7th 2022
2022-07-05 - Vendor Disclosure
2022-07-07 - Vendor Patch Release
2022-08-16 - Public Release
Discovered by Claudio Bozzato of Cisco Talos.
Vulnerability Reports Next Report
TALOS-2022-1538
Previous Report
TALOS-2022-1536
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
55.4%