CVE-2022-32771

CVSS 9.6 CRITICALEPSS 3.2%CWE-79

In short

A flaw in WWBN AVideo's footer alerts allows attackers to inject malicious JavaScript code that runs in users' browsers. An attacker can trick a logged-in user into clicking a link, causing harmful scripts to execute and potentially steal their data or account access.

Technical detail

Cross-site scripting (XSS) vulnerability in the footer alerts functionality of WWBN AVideo 11.6 and dev master, where the 'success' parameter is inserted into the DOM without proper sanitization. Attack requires social engineering to get an authenticated user to send a crafted HTTP request; successful exploitation results in arbitrary JavaScript execution in the victim's browser context.

Summary generated and translated by AI from the official description.

A cross-site scripting (xss) vulnerability exists in the footer alerts functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to arbitrary Javascript execution. An attacker can get an authenticated user to send a crafted HTTP request to trigger this vulnerability.This vulnerability arrises from the "success" parameter which is inserted into the document with insufficient sanitization.

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected products

WWBN · AVideo

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/WWBN/AVideo/blob/e04b1cd7062e16564157a82bae389eedd39fa088/updatedb/updateDb.v12.0.sql https://talosintelligence.com/vulnerability_reports/TALOS-2022-1538