CVE-2023-30860
HIGHWWBN AVideo < 12.4 - Stored Cross-Site Scripting via Meeting Room Creation
Title source: llmDescription
WWBN AVideo is an open source video platform. In AVideo prior to version 12.4, a normal user can make a Meeting Schedule where the user can invite another user in that Meeting, but it does not properly sanitize the malicious characters when creating a Meeting Room. This allows attacker to insert malicious scripts. Since any USER including the ADMIN can see the meeting room that was created by the attacker this can lead to cookie hijacking and takeover of any accounts. Version 12.4 contains a patch for this issue.
References (2)
Core 2
Core References
Exploit, Vendor Advisory x_refsource_confirm
https://github.com/WWBN/AVideo/security/advisories/GHSA-xr9h-p2rc-rpqm
Exploit, Third Party Advisory x_refsource_misc
https://youtu.be/Nke0Bmv5F-o
Scores
CVSS v3
8.0
EPSS
0.0361
EPSS Percentile
87.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-79
Status
published
Products (2)
wwbn/avideo
< 12.4
wwbn/avideo
0 - 12.4Packagist
Published
May 08, 2023
Tracked Since
Feb 18, 2026