CVE-2024-34899
WWBN AVideo is a platform, written in PHP, engineered for the distribution of audio and video content, offering capabilities such as Video On Demand (VOD), streaming, and live streaming. To date, it has been installed on over 4,000 websites in more than 190 countries around the world.
A cross-site scripting (XSS) vulnerability has been identified in the view/about.php
page of AVideo, affecting versions from 10.4 up to 12.4. This vulnerability can be exploited by sending a specially crafted request, which would result in the execution of arbitrary JavaScript code.
The versions 10.4 up to 12.4 were tested and verified to be vulnerable by HDNA and confirmed to be vulnerable by the vendor.
AVideo - https://github.com/WWBN/AVideo
CWE-79 - Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
The PHP file view/about.php
is vulnerable to an XSS issue due to no sanitization of the user agent.
At line [53], the website gets the user-agent from the headers through $_SERVER['HTTP_USER_AGENT']
and echo
it without any sanitization.
In PHP, echo
a user generated statement, here the User-Agent
Header, without any sanitization allows an attacker to inject malicious scripts into the output of a web page, which are then executed in the browser of anyone viewing that page.
The damage from such an attack can vary from minor nuisances to severe security breaches including session hijacking, account takeover, and data theft.
AVideo commit 3457115 - https://github.com/WWBN/AVideo/commit/345711562621d879e63a817d01a229bf0aae7a1d
2024-05-03 - Vendor Disclosure
2024-05-03 - Vendor Patch Release
2024-05-13 - Public Release
Discovered by HackerDna Research
What is the Common Weakness Enumeration (CWE) identifier for the security vulnerability known as Cross-Site Scripting (XSS)?
Sign-in to your account to access your hacking courses and cyber security labs.
Access all hacking courses and cyber security labs.