CVE-2022-26842

CVSS 9.6 CRITICALEPSS 2.9%CWE-79

In short

A flaw in AVideo 11.6's charts feature allows attackers to inject malicious code that runs in users' browsers when they click a specially crafted link. This can steal sensitive information or take actions on behalf of the user.

Technical detail

Reflected XSS vulnerability in the charts tab selection functionality of WWBN AVideo 11.6 and dev master (commit 3f7c0364) allows unauthenticated attackers to inject arbitrary JavaScript through a crafted HTTP request; exploitation requires social engineering to trick an authenticated user into visiting the malicious link, resulting in session hijacking, credential theft, or unauthorized actions within the application.

Summary generated and translated by AI from the official description.

A reflected cross-site scripting (xss) vulnerability exists in the charts tab selection functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to arbitrary Javascript execution. An attacker can get an authenticated user to send a crafted HTTP request to trigger this vulnerability.

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected products

WWBN · AVideo

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/WWBN/AVideo/blob/e04b1cd7062e16564157a82bae389eedd39fa088/updatedb/updateDb.v12.0.sql https://talosintelligence.com/vulnerability_reports/TALOS-2022-1537