Platform
php
Component
avideo
Fixed in
14.4.1
8.0.1
CVE-2025-41420 describes a critical Cross-Site Scripting (XSS) vulnerability affecting WWBN AVideo version 14.4. This vulnerability allows an attacker to execute arbitrary JavaScript code within a user's browser by crafting a malicious HTTP request. The vulnerability resides in the userLogin cancelUri parameter and is fixed in version 14.4.1.
Successful exploitation of CVE-2025-41420 allows an attacker to inject malicious JavaScript code into a webpage viewed by authenticated users of WWBN AVideo. This can lead to a variety of attacks, including session hijacking, account takeover, and defacement of the application. An attacker could potentially steal sensitive user data, redirect users to phishing sites, or even gain control of the entire application if the user has administrative privileges. The impact is particularly severe due to the CRITICAL CVSS score and the ease with which the vulnerability can be triggered.
CVE-2025-41420 was publicly disclosed on 2025-07-24. No public proof-of-concept (PoC) code has been released at the time of writing, but the vulnerability's ease of exploitation suggests a high probability of exploitation. It is not currently listed on the CISA KEV catalog. The vulnerability's CRITICAL severity underscores the importance of prompt remediation.
Exploit Status
EPSS
0.15% (36% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-41420 is to upgrade to WWBN AVideo version 14.4.1 or later, which contains the fix for this vulnerability. If upgrading immediately is not possible, consider implementing input validation and output encoding on the userLogin cancelUri parameter to prevent the injection of malicious scripts. Web Application Firewalls (WAFs) configured to detect and block XSS attacks can also provide a temporary layer of protection. Review and sanitize all user-supplied input before rendering it in the application.
Update AVideo to a version later than 14.4 or commit 8a8954ff. Consult the vendor's website for the latest version and update instructions. Apply the security measures recommended by the vendor to mitigate the XSS vulnerability.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-41420 is a critical Cross-Site Scripting (XSS) vulnerability in WWBN AVideo 14.4, allowing attackers to execute JavaScript code. It affects versions 14.4–14.4.
If you are using WWBN AVideo version 14.4, you are potentially affected by this vulnerability. Upgrade to 14.4.1 or later to mitigate the risk.
The recommended fix is to upgrade to WWBN AVideo version 14.4.1 or later. Implement input validation and output encoding as a temporary workaround.
While no active exploitation has been confirmed, the vulnerability's ease of exploitation suggests a high probability of exploitation. Monitor your systems closely.
Please refer to the official WWBN security advisory for detailed information and updates regarding CVE-2025-41420.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.