9.6 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
5.8 Medium
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
47.3%
CVE-2023-48728
A cross-site scripting (xss) vulnerability exists in the functiongetOpenGraph videoName functionality of WWBN AVideo 11.6 and dev master commit 3c6bb3ff. A specially crafted HTTP request can lead to arbitrary Javascript execution. An attacker can get a user to visit a webpage to trigger this vulnerability.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
WWBN AVideo 11.6
WWBN AVideo dev master commit 3c6bb3ff
AVideo - <https://github.com/WWBN/AVideo>
9.6 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
CWE-79 - Improper Neutralization of Input During Web Page Generation (βCross-site Scriptingβ)
AVideo is a web application, mostly written in PHP, that can be used to create an audio/video sharing website. It allows users to import videos from various sources, encode and share them in various ways. Users can sign up to the website in order to share videos, while viewers have anonymous access to the publicly-available contents. The platform provides plugins for features like live streaming, skins, YouTube uploads and more.
The PHP file objects/functiongetOpenGraph.php
is vulnerable to an XSS issue due to missing sanitization of the videoName
parameter:
<?php
echo PHP_EOL."".PHP_EOL;
if (empty($videos_id)) {
echo PHP_EOL."".PHP_EOL;
if (!empty($_GET['videoName'])) {
[1] echo PHP_EOL."".PHP_EOL;
$video = Video::getVideoFromCleanTitle($_GET['videoName']);
}
...
Since videoName
is not sanitized and is displayed on the page [1], this leads to a straightforward reflected cross-site scripting issue (XSS). This can be used by an attacker, in the worst case, to take over an administrator account, for example by tricking an administrator into clicking on a link that triggers the XSS.
This proof-of-concept calls alert(1)
:
https://localhost/objects/functiongetOpenGraph.php?videoName=123+--><script>alert(1)</script>
2023-12-14 - Vendor Disclosure
2023-12-15 - Vendor Patch Release
2024-01-10 - Public Release
Discovered by Claudio Bozzato of Cisco Talos.
Vulnerability Reports Next Report
TALOS-2023-1884
Previous Report
TALOS-2023-1882
9.6 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
5.8 Medium
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
47.3%