प्लेटफ़ॉर्म
php
घटक
avideo
में ठीक किया गया
14.4.1
8.0.1
CVE-2025-50128 describes a cross-site scripting (XSS) vulnerability within the videoNotFound 404ErrorMsg parameter functionality of WWBN AVideo. Successful exploitation allows an attacker to execute arbitrary JavaScript code, potentially compromising user accounts and sensitive data. This vulnerability impacts versions 14.4 and the dev master branch. A patch is available in version 14.4.1.
This XSS vulnerability poses a significant risk because it allows attackers to inject malicious scripts into web pages viewed by authenticated users of WWBN AVideo. An attacker could craft a malicious HTTP request, enticing a user to visit a webpage containing the exploit. Upon visiting the page, the injected script would execute in the user's browser, potentially stealing session cookies, redirecting the user to a phishing site, or modifying the content of the page. The impact extends beyond simple defacement; attackers could gain complete control over user accounts and potentially access sensitive data stored within the AVideo system. The severity is heightened by the potential for widespread exploitation if the vulnerability is easily discoverable and exploitable.
CVE-2025-50128 was publicly disclosed on 2025-07-24. The vulnerability is considered critical due to the ease of exploitation and potential impact. No public proof-of-concept (POC) code has been observed at the time of writing, but the XSS nature of the vulnerability suggests that a POC is likely to emerge. The vulnerability has not been added to the CISA KEV catalog as of this date.
Organizations using WWBN AVideo version 14.4, particularly those with publicly accessible video streaming services, are at significant risk. Shared hosting environments where multiple users share the same AVideo instance are especially vulnerable, as an attacker could potentially compromise other users' accounts through this vulnerability.
• php: Examine access logs for requests containing suspicious payloads in the videoNotFound parameter. Use grep to search for patterns indicative of XSS attempts.
grep 'videoNotFound=[^a-zA-Z0-9]*' access.log• generic web: Use curl to test the affected endpoint with a simple XSS payload and observe the response for signs of script execution.
curl 'http://your-avideo-site.com/?videoNotFound=<script>alert(1)</script>'• generic web: Check response headers for Content-Security-Policy (CSP) directives. Absence or weak CSP configurations increase the risk.
disclosure
एक्सप्लॉइट स्थिति
EPSS
0.10% (28% शतमक)
CISA SSVC
CVSS वेक्टर
The primary mitigation for CVE-2025-50128 is to immediately upgrade to version 14.4.1 or later, which contains the fix. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to filter requests containing suspicious patterns in the videoNotFound 404ErrorMsg parameter. Carefully review and sanitize all user-supplied input before rendering it in HTML. Implement strict Content Security Policy (CSP) headers to restrict the sources from which scripts can be executed. After upgrading, confirm the fix by attempting to trigger the vulnerability with a known malicious payload and verifying that the script is not executed.
AVideo को 14.4 से बाद के संस्करण या 8a8954ff से बाद की कमिट में अपडेट करें। यह वीडियोNotFound 404ErrorMsg पैरामीटर में XSS भेद्यता को ठीक कर देगा। अधिक विवरण के लिए Talos Intelligence रिपोर्ट देखें।
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2025-50128 is a critical cross-site scripting (XSS) vulnerability in WWBN AVideo versions 14.4 and dev master, allowing attackers to execute malicious scripts.
If you are using WWBN AVideo version 14.4 or the dev master branch, you are potentially affected by this vulnerability.
Upgrade to version 14.4.1 or later to resolve the vulnerability. Implement WAF rules and CSP headers as temporary mitigations.
While no active exploitation has been confirmed, the XSS nature of the vulnerability suggests a high likelihood of exploitation.
Refer to the official WWBN security advisory for detailed information and updates regarding CVE-2025-50128.
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।