CVE-2023-30860

Published: May 8, 2023Modified: Nov 21, 2024

5.4

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.3 / Impact: 2.7

Source: NVD

Description

WWBN AVideo is an open source video platform. In AVideo prior to version 12.4, a normal user can make a Meeting Schedule where the user can invite another user in that Meeting, but it does not properly sanitize the malicious characters when creating a Meeting Room. This allows attacker to insert malicious scripts. Since any USER including the ADMIN can see the meeting room that was created by the attacker this can lead to cookie hijacking and takeover of any accounts. Version 12.4 contains a patch for this issue.

Affected (1)

Products: Wwbn: Avideo

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Wwbn Avideo	Before 12.4

Related CWEs

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (4)

https://github.com/WWBN/AVideo/security/advisories/GHSA-xr9h-p2rc-rpqm

Source: security-advisories@github.com

ExploitVendor Advisory

https://youtu.be/Nke0Bmv5F-o

Source: security-advisories@github.com

ExploitThird Party Advisory

https://github.com/WWBN/AVideo/security/advisories/GHSA-xr9h-p2rc-rpqm

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitVendor Advisory

https://youtu.be/Nke0Bmv5F-o

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.