Plataforma
php
Componente
avideo
Corrigido em
14.4.1
8.0.1
CVE-2025-41420 describes a critical Cross-Site Scripting (XSS) vulnerability affecting WWBN AVideo version 14.4. This vulnerability allows an attacker to execute arbitrary JavaScript code within a user's browser by crafting a malicious HTTP request. The vulnerability resides in the userLogin cancelUri parameter and is fixed in version 14.4.1.
Successful exploitation of CVE-2025-41420 allows an attacker to inject malicious JavaScript code into a webpage viewed by authenticated users of WWBN AVideo. This can lead to a variety of attacks, including session hijacking, account takeover, and defacement of the application. An attacker could potentially steal sensitive user data, redirect users to phishing sites, or even gain control of the entire application if the user has administrative privileges. The impact is particularly severe due to the CRITICAL CVSS score and the ease with which the vulnerability can be triggered.
CVE-2025-41420 was publicly disclosed on 2025-07-24. No public proof-of-concept (PoC) code has been released at the time of writing, but the vulnerability's ease of exploitation suggests a high probability of exploitation. It is not currently listed on the CISA KEV catalog. The vulnerability's CRITICAL severity underscores the importance of prompt remediation.
Organizations using WWBN AVideo version 14.4 are at risk, particularly those with web applications that handle sensitive user data or provide access to critical systems. Shared hosting environments where multiple applications share the same server are also at increased risk, as a compromise of one application could potentially lead to the compromise of others.
• php / web:
grep -r 'cancelUri' /var/www/avideo/src/• php / web: Check for unusual JavaScript code being injected into userLogin pages. • generic web: Monitor access logs for requests containing suspicious URLs with the 'cancelUri' parameter. • generic web: Inspect response headers for signs of XSS payloads.
disclosure
Status do Exploit
EPSS
0.15% (percentil 36%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2025-41420 is to upgrade to WWBN AVideo version 14.4.1 or later, which contains the fix for this vulnerability. If upgrading immediately is not possible, consider implementing input validation and output encoding on the userLogin cancelUri parameter to prevent the injection of malicious scripts. Web Application Firewalls (WAFs) configured to detect and block XSS attacks can also provide a temporary layer of protection. Review and sanitize all user-supplied input before rendering it in the application.
Atualize AVideo para uma versão posterior à 14.4 ou para o commit 8a8954ff. Consulte o site do fornecedor para obter a versão mais recente e as instruções de atualização. Aplique as medidas de segurança recomendadas pelo fornecedor para mitigar a vulnerabilidade XSS.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2025-41420 is a critical Cross-Site Scripting (XSS) vulnerability in WWBN AVideo 14.4, allowing attackers to execute JavaScript code. It affects versions 14.4–14.4.
If you are using WWBN AVideo version 14.4, you are potentially affected by this vulnerability. Upgrade to 14.4.1 or later to mitigate the risk.
The recommended fix is to upgrade to WWBN AVideo version 14.4.1 or later. Implement input validation and output encoding as a temporary workaround.
While no active exploitation has been confirmed, the vulnerability's ease of exploitation suggests a high probability of exploitation. Monitor your systems closely.
Please refer to the official WWBN security advisory for detailed information and updates regarding CVE-2025-41420.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.