← back
CVE-2022-30690

CVE-2022-30690

CVSS 9.6 CRITICALEPSS 83.6%CWE-79
In short

A flaw in WWBN AVideo's image403 feature allows attackers to inject malicious JavaScript code into web pages. If a user visits a specially crafted link, their browser could execute the attacker's code, potentially stealing login credentials or sensitive information.

Technical detail

Cross-site scripting (XSS) vulnerability in the image403 endpoint of WWBN AVideo 11.6 and dev master (commit 3f7c0364) allows unauthenticated attackers to inject arbitrary JavaScript through malformed HTTP requests. The attack requires social engineering to trick an authenticated user into triggering the payload, resulting in session hijacking or credential theft.

Summary generated and translated by AI from the official description.
A cross-site scripting (xss) vulnerability exists in the image403 functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to arbitrary Javascript execution. An attacker can get an authenticated user to send a crafted HTTP request to trigger this vulnerability.
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected products
WWBN · AVideo

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/WWBN/AVideo/blob/e04b1cd7062e16564157a82bae389eedd39fa088/updatedb/updateDb.v12.0.sqlhttps://talosintelligence.com/vulnerability_reports/TALOS-2022-1539