平台
php
组件
avideo
修复版本
14.4.1
8.0.1
CVE-2025-46410 describes a cross-site scripting (XSS) vulnerability affecting WWBN AVideo versions 14.4 and the dev master branch. This vulnerability allows an attacker to execute arbitrary JavaScript code within a user's browser by crafting a malicious HTTP request. The vulnerability resides in the managerPlaylists PlaylistOwnerUsersId parameter. A fix is available in version 14.4.1.
Successful exploitation of CVE-2025-46410 allows an attacker to inject malicious scripts into webpages viewed by authenticated users of WWBN AVideo. This can lead to a variety of attacks, including session hijacking, credential theft, and defacement of the application. The attacker could potentially gain complete control over the user's session, allowing them to perform actions on behalf of the user without their knowledge. The blast radius extends to any user who interacts with the vulnerable parameter, making it a significant risk for organizations relying on AVideo for content management.
CVE-2025-46410 was publicly disclosed on 2025-07-24. No public proof-of-concept (POC) code has been observed at the time of writing. The vulnerability is not currently listed on the CISA KEV catalog. The CVSS score of 9.6 indicates a critical severity, suggesting a high potential for exploitation if a suitable POC is developed and widely distributed.
Organizations using WWBN AVideo for content management, particularly those with custom integrations or extensions that rely on the managerPlaylists parameter, are at risk. Users with administrative privileges or those who frequently interact with the application are especially vulnerable to exploitation.
• php / web:
grep -r 'managerPlaylists PlaylistOwnerUsersId' /var/www/avideo/• generic web:
curl -I https://your-avideo-instance.com/managerPlaylists?PlaylistOwnerUsersId=<script>alert(1)</script>• generic web:
curl -s https://your-avideo-instance.com/managerPlaylists?PlaylistOwnerUsersId=<script>alert(1)</script> | grep alertdisclosure
漏洞利用状态
EPSS
0.10% (28% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2025-46410 is to upgrade to WWBN AVideo version 14.4.1 or later, which includes a fix for the vulnerability. If immediate upgrading is not possible, consider implementing input validation and output encoding on the managerPlaylists PlaylistOwnerUsersId parameter to sanitize user-supplied data. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. Thoroughly review and update any existing security policies to address XSS vulnerabilities.
将 AVideo 更新到受影响版本之后的版本。请参阅供应商网站以获取最新版本和更新说明。尽快应用供应商提供的安全更新。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-46410 is a critical Cross-Site Scripting (XSS) vulnerability in WWBN AVideo versions 14.4 and dev master, allowing attackers to execute JavaScript code.
If you are using WWBN AVideo version 14.4 or the dev master branch, you are potentially affected by this vulnerability. Upgrade to 14.4.1 to mitigate the risk.
Upgrade to WWBN AVideo version 14.4.1 or later. As a temporary measure, implement input validation and output encoding on the vulnerable parameter.
As of the current date, there are no confirmed reports of active exploitation, but the high CVSS score indicates a significant risk.
Please refer to the WWBN security advisories page for the latest information and official guidance regarding CVE-2025-46410.