CVE-2022-28712

CVSS 9 CRITICALEPSS 2.4%CWE-79

In short

A flaw in WWBN AVideo allows attackers to inject malicious code that runs in a user's browser when they interact with the video upload feature. If a user clicks a crafted link or visits a malicious page, their account and data could be compromised.

Technical detail

Cross-site scripting (XSS) vulnerability in the videoAddNew functionality of WWBN AVideo 11.6 and dev master (commit 3f7c0364) allows arbitrary JavaScript execution through a specially-crafted HTTP request. Attack requires social engineering to trick an authenticated user into triggering the payload, but once executed, grants attacker access to user session and sensitive data.

Summary generated and translated by AI from the official description.

A cross-site scripting (xss) vulnerability exists in the videoAddNew functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to arbitrary Javascript execution. An attacker can get an authenticated user to send a crafted HTTP request to trigger this vulnerability.

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Affected products

WWBN · AVideo

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/WWBN/AVideo/blob/e04b1cd7062e16564157a82bae389eedd39fa088/updatedb/updateDb.v12.0.sql https://talosintelligence.com/vulnerability_reports/TALOS-2022-1540