Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS0yZmNoLWh2NzQtZmd3Oc4AAy-3
Cross site scripting (XSS) in wwbn/avideo
Description:
While making an account in demo.avideo.com I found a parameter "?success=" which did not sanitize any symbol character properly which leads to XSS attack.
Impact:
Since there's an Admin account on demo.avideo.com attacker can use this attack to Takeover the admin's account
Step to Reproduce:
- Click the link below
https://demo.avideo.com/user?success="><img src=x onerror=alert(document.cookie)>
- Then XSS will be executed
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0yZmNoLWh2NzQtZmd3Oc4AAy-3
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 12 months ago
Updated: 12 months ago
Identifiers: GHSA-2fch-hv74-fgw9
References:
- https://github.com/WWBN/AVideo/security/advisories/GHSA-2fch-hv74-fgw9
- https://github.com/advisories/GHSA-2fch-hv74-fgw9
Blast Radius: 1.0
Affected Packages
packagist:wwbn/avideo
Dependent packages: 0Dependent repositories: 0
Downloads: 11 total
Affected Version Ranges: < 12.4
Fixed in: 12.4
All affected versions: 11.1.1
All unaffected versions: