Talos Vulnerability Report

TALOS-2023-1883

WWBN AVideo functiongetOpenGraph videoName cross-site scripting (XSS) vulnerability

January 10, 2024
CVE Number

CVE-2023-48728

SUMMARY

A cross-site scripting (xss) vulnerability exists in the functiongetOpenGraph videoName functionality of WWBN AVideo 11.6 and dev master commit 3c6bb3ff. A specially crafted HTTP request can lead to arbitrary Javascript execution. An attacker can get a user to visit a webpage to trigger this vulnerability.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

WWBN AVideo 11.6
WWBN AVideo dev master commit 3c6bb3ff

PRODUCT URLS

AVideo - https://github.com/WWBN/AVideo

CVSSv3 SCORE

9.6 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)

DETAILS

AVideo is a web application, mostly written in PHP, that can be used to create an audio/video sharing website. It allows users to import videos from various sources, encode and share them in various ways. Users can sign up to the website in order to share videos, while viewers have anonymous access to the publicly-available contents. The platform provides plugins for features like live streaming, skins, YouTube uploads and more.

The PHP file objects/functiongetOpenGraph.php is vulnerable to an XSS issue due to missing sanitization of the videoName parameter:

    <?php
    echo PHP_EOL."<!-- OpenGraph -->".PHP_EOL;
    if (empty($videos_id)) {
        echo PHP_EOL."<!-- OpenGraph no video id -->".PHP_EOL;
        if (!empty($_GET['videoName'])) {
[1]         echo PHP_EOL."<!-- OpenGraph videoName {$_GET['videoName']} -->".PHP_EOL;
            $video = Video::getVideoFromCleanTitle($_GET['videoName']);
        }
    ...

Since videoName is not sanitized and is displayed on the page [1], this leads to a straightforward reflected cross-site scripting issue (XSS). This can be used by an attacker, in the worst case, to take over an administrator account, for example by tricking an administrator into clicking on a link that triggers the XSS.

Exploit Proof of Concept

This proof-of-concept calls alert(1):

https://localhost/objects/functiongetOpenGraph.php?videoName=123+--><script>alert(1)</script>
TIMELINE

2023-12-14 - Vendor Disclosure
2023-12-15 - Vendor Patch Release
2024-01-10 - Public Release

Credit

Discovered by Claudio Bozzato of Cisco Talos.