Headline
CVE-2023-25314: Thanks Jefferson Gonzales · WWBN/AVideo@2b44dee
Cross Site Scripting (XSS) vulnerability in World Wide Broadcast Network AVideo before 12.4, allows attackers to gain sensitive information via the success parameter to /user.
Permalink
Browse files
Thanks Jefferson Gonzales
this update prevents the XSS attack
Description:
While making an account in demo.avideo.com I found a parameter “?success=” which did not sanitize any symbol character properly which leads to XSS attack.
Impact:
Since there’s an Admin account on demo.avideo.com attacker can use this attack to Takeover the admin’s account
Step to Reproduce:
- Click the link below
https://demo.avideo.com/user?success="><img src=x onerror=alert(document.cookie)>
- Then XSS will be executed
- Loading branch information