Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS14cjloLXAycmMtcnBxbc4AAzC_
WWBN/AVideo stored XSS vulnerability leads to takeover of any user's account, including admin's account
In AVideo, a normal user can make a Meeting Schedule where the user can invite another user in that Meeting, but I found out that it did not properly sanitize the malicious characters when creating a Meeting Room. This leads the attacker to put malicious scripts.
Impact:
Since any USER including the ADMIN can see the meeting room that was created by the attacker this can lead to cookie hijacking and takeover of any accounts without user interaction.
Step to Reproduce:
- As normal USER go to Meet -> Schedule
https://demo.avideo.com/plugin/Meet/
- In "Meet topic" field put XSS payload
Example: "><img src=x onerror=alert('Pawned+by+Gonz')>
-
Then click Save
-
Now as ADMIN go to Meet -> Schedule -> Upcoming
https://demo.avideo.com/plugin/Meet/
- Then the XSS payload that normal USER created will be executed
Video POC: https://youtu.be/Nke0Bmv5F-o
Permalink: https://github.com/advisories/GHSA-xr9h-p2rc-rpqmJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS14cjloLXAycmMtcnBxbc4AAzC_
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 12 months ago
Updated: 6 months ago
CVSS Score: 8.0
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Identifiers: GHSA-xr9h-p2rc-rpqm, CVE-2023-30860
References:
- https://github.com/WWBN/AVideo/security/advisories/GHSA-xr9h-p2rc-rpqm
- https://nvd.nist.gov/vuln/detail/CVE-2023-30860
- https://youtu.be/Nke0Bmv5F-o
- https://github.com/advisories/GHSA-xr9h-p2rc-rpqm
Blast Radius: 1.0
Affected Packages
packagist:wwbn/avideo
Dependent packages: 0Dependent repositories: 0
Downloads: 11 total
Affected Version Ranges: < 12.4
Fixed in: 12.4
All affected versions: 11.1.1
All unaffected versions: