Plattform
php
Komponente
avideo
Behoben in
14.4.1
8.0.1
CVE-2025-53084 describes a cross-site scripting (XSS) vulnerability affecting WWBN AVideo versions 14.4 and the dev master branch. This vulnerability allows an attacker to inject malicious JavaScript code into the videosList page parameter, potentially leading to arbitrary code execution within a user's browser. The vulnerability is rated as CRITICAL with a CVSS score of 9 and is resolved in version 14.4.1.
The impact of this XSS vulnerability is significant. An attacker could craft a malicious URL containing JavaScript code and trick a user into clicking it. Upon visiting the crafted page, the injected script would execute in the user's browser context, allowing the attacker to steal cookies, session tokens, or redirect the user to a phishing site. The attacker could also modify the content of the page, potentially defacing the website or displaying misleading information. Given the potential for widespread user impact and the ease of exploitation, this vulnerability poses a serious threat to WWBN AVideo deployments.
CVE-2025-53084 was publicly disclosed on 2025-07-24. While no active exploitation campaigns have been publicly confirmed, the ease of exploitation and the CRITICAL severity rating suggest a high probability of exploitation. The vulnerability is not currently listed on CISA KEV. Public proof-of-concept code is likely to emerge given the vulnerability's nature.
Organizations and individuals using WWBN AVideo version 14.4 are at immediate risk. Shared hosting environments where multiple users share the same AVideo installation are particularly vulnerable, as an attacker could potentially exploit the vulnerability through another user's account. Users who frequently interact with the videosList page are also at higher risk.
• php: Examine access logs for requests containing suspicious JavaScript code in the videosList parameter. Use grep to search for patterns like <script> or javascript: within the parameter value.
grep 'videosList=[^>]*<script[^>]*' /var/log/apache2/access.log• generic web: Use curl to test the videosList parameter with a simple JavaScript payload and observe the response for signs of execution (e.g., an alert box).
curl 'http://your-avideo-instance/videosList?videosList=<script>alert("XSS")</script>' -sdisclosure
Exploit-Status
EPSS
0.08% (24% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-53084 is to immediately upgrade to WWBN AVideo version 14.4.1 or later. If upgrading is not immediately feasible, consider implementing input validation and output encoding on the videosList page parameter to sanitize user-supplied data. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can provide an additional layer of defense. Monitor web server access logs for suspicious requests containing unusual JavaScript code in the videosList parameter.
Aktualisieren Sie AVideo auf eine Version nach 14.4 oder auf einen Commit nach 8a8954ff. Dies behebt die XSS Schwachstelle in der videosList Seite Parameter Funktionalität. Sehen Sie auf der Anbieter-Website nach der neuesten Version und den Update-Anweisungen.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-53084 is a critical cross-site scripting (XSS) vulnerability in WWBN AVideo versions 14.4 and dev master, allowing attackers to execute malicious JavaScript code.
If you are using WWBN AVideo version 14.4 or the dev master branch, you are potentially affected by this vulnerability.
Upgrade to WWBN AVideo version 14.4.1 or later to resolve the vulnerability. Implement input validation and output encoding as a temporary workaround.
While no active exploitation campaigns have been publicly confirmed, the high severity and ease of exploitation suggest a high probability of exploitation.
Refer to the official WWBN security advisory for detailed information and updates regarding CVE-2025-53084.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.