Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
WWBN/AVideo stored XSS vulnerability leads to takeover of any user's account, including admin's account
Vulnerability Description
WWBN AVideo is an open source video platform. In AVideo prior to version 12.4, a normal user can make a Meeting Schedule where the user can invite another user in that Meeting, but it does not properly sanitize the malicious characters when creating a Meeting Room. This allows attacker to insert malicious scripts. Since any USER including the ADMIN can see the meeting room that was created by the attacker this can lead to cookie hijacking and takeover of any accounts. Version 12.4 contains a patch for this issue.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Vulnerability Title
WWBN AVideo 跨站脚本漏洞
Vulnerability Description
WWBN AVideo是WWBN团队的一个由PHP编写的视频平台建站系统。 WWBN Avideo 12.4 之前版本存在跨站脚本漏洞,该漏洞源于普通用户可以创建会议日程,用户可以在该会议中邀请其他用户参加该会议,但在创建会议室时无法正确清除恶意角色,可能导致 cookie 劫持和接管任何帐户。
CVSS Information
N/A
Vulnerability Type
N/A