Er is een cross-site scripting (xss) kwetsbaarheid aanwezig in de managerPlaylists PlaylistOwnerUsersId parameter functionaliteit van WWBN AVideo 14.4 en dev master commit 8a8954ff. Een speciaal opgebouwd HTTP verzoek
Platform
php
Component
avideo
Opgelost in
14.4.1
8.0.1
CVE-2025-46410 describes a cross-site scripting (XSS) vulnerability affecting WWBN AVideo versions 14.4 and the dev master branch. This vulnerability allows an attacker to execute arbitrary JavaScript code within a user's browser by crafting a malicious HTTP request. The vulnerability resides in the managerPlaylists PlaylistOwnerUsersId parameter. A fix is available in version 14.4.1.
Impact en Aanvalsscenarioswordt vertaald…
Successful exploitation of CVE-2025-46410 allows an attacker to inject malicious scripts into webpages viewed by authenticated users of WWBN AVideo. This can lead to a variety of attacks, including session hijacking, credential theft, and defacement of the application. The attacker could potentially gain complete control over the user's session, allowing them to perform actions on behalf of the user without their knowledge. The blast radius extends to any user who interacts with the vulnerable parameter, making it a significant risk for organizations relying on AVideo for content management.
Uitbuitingscontextwordt vertaald…
CVE-2025-46410 was publicly disclosed on 2025-07-24. No public proof-of-concept (POC) code has been observed at the time of writing. The vulnerability is not currently listed on the CISA KEV catalog. The CVSS score of 9.6 indicates a critical severity, suggesting a high potential for exploitation if a suitable POC is developed and widely distributed.
Wie Loopt Risicowordt vertaald…
Organizations using WWBN AVideo for content management, particularly those with custom integrations or extensions that rely on the managerPlaylists parameter, are at risk. Users with administrative privileges or those who frequently interact with the application are especially vulnerable to exploitation.
Detectiestappenwordt vertaald…
• php / web:
grep -r 'managerPlaylists PlaylistOwnerUsersId' /var/www/avideo/• generic web:
curl -I https://your-avideo-instance.com/managerPlaylists?PlaylistOwnerUsersId=<script>alert(1)</script>• generic web:
curl -s https://your-avideo-instance.com/managerPlaylists?PlaylistOwnerUsersId=<script>alert(1)</script> | grep alertAanvalstijdlijn
- Disclosure
disclosure
Dreigingsinformatie
Exploit Status
EPSS
0.10% (28% percentiel)
CISA SSVC
CVSS-vector
Wat betekenen deze metrics?
- Attack Vector
- Netwerk — op afstand uitbuitbaar via internet. Geen fysieke of lokale toegang vereist.
- Attack Complexity
- Laag — geen speciale voorwaarden vereist. Betrouwbaar uitbuitbaar.
- Privileges Required
- Geen — geen authenticatie vereist om te exploiteren.
- User Interaction
- Vereist — slachtoffer moet een bestand openen, op een link klikken of een pagina bezoeken.
- Scope
- Gewijzigd — aanval kan voorbij het kwetsbare component uitbreiden naar andere systemen.
- Confidentiality
- Hoog — volledig verlies van vertrouwelijkheid. Aanvaller kan alle gegevens lezen.
- Integrity
- Hoog — aanvaller kan alle gegevens schrijven, aanpassen of verwijderen.
- Availability
- Hoog — volledige crash of uitputting van resources. Totale denial of service.
Getroffen Software
Zwakheidsclassificatie (CWE)
Tijdlijn
- Gereserveerd
- Gepubliceerd
- Gewijzigd
- EPSS bijgewerkt
Mitigatie en Workaroundswordt vertaald…
The primary mitigation for CVE-2025-46410 is to upgrade to WWBN AVideo version 14.4.1 or later, which includes a fix for the vulnerability. If immediate upgrading is not possible, consider implementing input validation and output encoding on the managerPlaylists PlaylistOwnerUsersId parameter to sanitize user-supplied data. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. Thoroughly review and update any existing security policies to address XSS vulnerabilities.
Hoe te verhelpen
Werk AVideo bij naar een versie die later is dan de getroffen versie. Raadpleeg de website van de leverancier voor de laatste versie en update-instructies. Pas de beveiligingsupdates die door de leverancier worden aangeboden zo snel mogelijk toe.
CVE Beveiligingsnieuwsbrief
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
Veelgestelde vragenwordt vertaald…
What is CVE-2025-46410 — XSS in WWBN AVideo?
CVE-2025-46410 is a critical Cross-Site Scripting (XSS) vulnerability in WWBN AVideo versions 14.4 and dev master, allowing attackers to execute JavaScript code.
Am I affected by CVE-2025-46410 in WWBN AVideo?
If you are using WWBN AVideo version 14.4 or the dev master branch, you are potentially affected by this vulnerability. Upgrade to 14.4.1 to mitigate the risk.
How do I fix CVE-2025-46410 in WWBN AVideo?
Upgrade to WWBN AVideo version 14.4.1 or later. As a temporary measure, implement input validation and output encoding on the vulnerable parameter.
Is CVE-2025-46410 being actively exploited?
As of the current date, there are no confirmed reports of active exploitation, but the high CVSS score indicates a significant risk.
Where can I find the official WWBN advisory for CVE-2025-46410?
Please refer to the WWBN security advisories page for the latest information and official guidance regarding CVE-2025-46410.
Is jouw project getroffen?
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.