Er is een cross-site scripting (xss) kwetsbaarheid aanwezig in de videosList pagina parameter functionaliteit van WWBN AVideo 14.4 en dev master commit 8a8954ff. Een speciaal opgebouwde HTTP-request kan leiden tot arbitr
Platform
php
Component
avideo
Opgelost in
14.4.1
8.0.1
CVE-2025-53084 describes a cross-site scripting (XSS) vulnerability affecting WWBN AVideo versions 14.4 and the dev master branch. This vulnerability allows an attacker to inject malicious JavaScript code into the videosList page parameter, potentially leading to arbitrary code execution within a user's browser. The vulnerability is rated as CRITICAL with a CVSS score of 9 and is resolved in version 14.4.1.
Impact en Aanvalsscenarioswordt vertaald…
The impact of this XSS vulnerability is significant. An attacker could craft a malicious URL containing JavaScript code and trick a user into clicking it. Upon visiting the crafted page, the injected script would execute in the user's browser context, allowing the attacker to steal cookies, session tokens, or redirect the user to a phishing site. The attacker could also modify the content of the page, potentially defacing the website or displaying misleading information. Given the potential for widespread user impact and the ease of exploitation, this vulnerability poses a serious threat to WWBN AVideo deployments.
Uitbuitingscontextwordt vertaald…
CVE-2025-53084 was publicly disclosed on 2025-07-24. While no active exploitation campaigns have been publicly confirmed, the ease of exploitation and the CRITICAL severity rating suggest a high probability of exploitation. The vulnerability is not currently listed on CISA KEV. Public proof-of-concept code is likely to emerge given the vulnerability's nature.
Wie Loopt Risicowordt vertaald…
Organizations and individuals using WWBN AVideo version 14.4 are at immediate risk. Shared hosting environments where multiple users share the same AVideo installation are particularly vulnerable, as an attacker could potentially exploit the vulnerability through another user's account. Users who frequently interact with the videosList page are also at higher risk.
Detectiestappenwordt vertaald…
• php: Examine access logs for requests containing suspicious JavaScript code in the videosList parameter. Use grep to search for patterns like <script> or javascript: within the parameter value.
grep 'videosList=[^>]*<script[^>]*' /var/log/apache2/access.log• generic web: Use curl to test the videosList parameter with a simple JavaScript payload and observe the response for signs of execution (e.g., an alert box).
curl 'http://your-avideo-instance/videosList?videosList=<script>alert("XSS")</script>' -sAanvalstijdlijn
- Disclosure
disclosure
Dreigingsinformatie
Exploit Status
EPSS
0.08% (24% percentiel)
CISA SSVC
CVSS-vector
Wat betekenen deze metrics?
- Attack Vector
- Netwerk — op afstand uitbuitbaar via internet. Geen fysieke of lokale toegang vereist.
- Attack Complexity
- Laag — geen speciale voorwaarden vereist. Betrouwbaar uitbuitbaar.
- Privileges Required
- Laag — elk geldig gebruikersaccount is voldoende.
- User Interaction
- Vereist — slachtoffer moet een bestand openen, op een link klikken of een pagina bezoeken.
- Scope
- Gewijzigd — aanval kan voorbij het kwetsbare component uitbreiden naar andere systemen.
- Confidentiality
- Hoog — volledig verlies van vertrouwelijkheid. Aanvaller kan alle gegevens lezen.
- Integrity
- Hoog — aanvaller kan alle gegevens schrijven, aanpassen of verwijderen.
- Availability
- Hoog — volledige crash of uitputting van resources. Totale denial of service.
Getroffen Software
Zwakheidsclassificatie (CWE)
Tijdlijn
- Gereserveerd
- Gepubliceerd
- Gewijzigd
- EPSS bijgewerkt
Mitigatie en Workaroundswordt vertaald…
The primary mitigation for CVE-2025-53084 is to immediately upgrade to WWBN AVideo version 14.4.1 or later. If upgrading is not immediately feasible, consider implementing input validation and output encoding on the videosList page parameter to sanitize user-supplied data. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can provide an additional layer of defense. Monitor web server access logs for suspicious requests containing unusual JavaScript code in the videosList parameter.
Hoe te verhelpen
Werk AVideo bij naar een versie later dan 14.4 of naar een commit later dan 8a8954ff. Dit zal de XSS-kwetsbaarheid in de videosList pagina parameter functionaliteit oplossen. Raadpleeg de website van de leverancier voor de laatste versie en de update-instructies.
CVE Beveiligingsnieuwsbrief
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
Veelgestelde vragenwordt vertaald…
What is CVE-2025-53084 — XSS in WWBN AVideo?
CVE-2025-53084 is a critical cross-site scripting (XSS) vulnerability in WWBN AVideo versions 14.4 and dev master, allowing attackers to execute malicious JavaScript code.
Am I affected by CVE-2025-53084 in WWBN AVideo?
If you are using WWBN AVideo version 14.4 or the dev master branch, you are potentially affected by this vulnerability.
How do I fix CVE-2025-53084 in WWBN AVideo?
Upgrade to WWBN AVideo version 14.4.1 or later to resolve the vulnerability. Implement input validation and output encoding as a temporary workaround.
Is CVE-2025-53084 being actively exploited?
While no active exploitation campaigns have been publicly confirmed, the high severity and ease of exploitation suggest a high probability of exploitation.
Where can I find the official WWBN advisory for CVE-2025-53084?
Refer to the official WWBN security advisory for detailed information and updates regarding CVE-2025-53084.
Is jouw project getroffen?
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.