平台
php
组件
avideo
修复版本
14.4.1
8.0.1
CVE-2025-50128 describes a cross-site scripting (XSS) vulnerability within the videoNotFound 404ErrorMsg parameter functionality of WWBN AVideo. Successful exploitation allows an attacker to execute arbitrary JavaScript code, potentially compromising user accounts and sensitive data. This vulnerability impacts versions 14.4 and the dev master branch. A patch is available in version 14.4.1.
This XSS vulnerability poses a significant risk because it allows attackers to inject malicious scripts into web pages viewed by authenticated users of WWBN AVideo. An attacker could craft a malicious HTTP request, enticing a user to visit a webpage containing the exploit. Upon visiting the page, the injected script would execute in the user's browser, potentially stealing session cookies, redirecting the user to a phishing site, or modifying the content of the page. The impact extends beyond simple defacement; attackers could gain complete control over user accounts and potentially access sensitive data stored within the AVideo system. The severity is heightened by the potential for widespread exploitation if the vulnerability is easily discoverable and exploitable.
CVE-2025-50128 was publicly disclosed on 2025-07-24. The vulnerability is considered critical due to the ease of exploitation and potential impact. No public proof-of-concept (POC) code has been observed at the time of writing, but the XSS nature of the vulnerability suggests that a POC is likely to emerge. The vulnerability has not been added to the CISA KEV catalog as of this date.
Organizations using WWBN AVideo version 14.4, particularly those with publicly accessible video streaming services, are at significant risk. Shared hosting environments where multiple users share the same AVideo instance are especially vulnerable, as an attacker could potentially compromise other users' accounts through this vulnerability.
• php: Examine access logs for requests containing suspicious payloads in the videoNotFound parameter. Use grep to search for patterns indicative of XSS attempts.
grep 'videoNotFound=[^a-zA-Z0-9]*' access.log• generic web: Use curl to test the affected endpoint with a simple XSS payload and observe the response for signs of script execution.
curl 'http://your-avideo-site.com/?videoNotFound=<script>alert(1)</script>'• generic web: Check response headers for Content-Security-Policy (CSP) directives. Absence or weak CSP configurations increase the risk.
disclosure
漏洞利用状态
EPSS
0.10% (28% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2025-50128 is to immediately upgrade to version 14.4.1 or later, which contains the fix. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to filter requests containing suspicious patterns in the videoNotFound 404ErrorMsg parameter. Carefully review and sanitize all user-supplied input before rendering it in HTML. Implement strict Content Security Policy (CSP) headers to restrict the sources from which scripts can be executed. After upgrading, confirm the fix by attempting to trigger the vulnerability with a known malicious payload and verifying that the script is not executed.
将 AVideo 更新到 14.4 以上版本或 8a8954ff 之后的 commit。这将修复 videoNotFound 404ErrorMsg 参数中的 XSS 漏洞。请参阅 Talos Intelligence 报告以获取更多详细信息。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-50128 is a critical cross-site scripting (XSS) vulnerability in WWBN AVideo versions 14.4 and dev master, allowing attackers to execute malicious scripts.
If you are using WWBN AVideo version 14.4 or the dev master branch, you are potentially affected by this vulnerability.
Upgrade to version 14.4.1 or later to resolve the vulnerability. Implement WAF rules and CSP headers as temporary mitigations.
While no active exploitation has been confirmed, the XSS nature of the vulnerability suggests a high likelihood of exploitation.
Refer to the official WWBN security advisory for detailed information and updates regarding CVE-2025-50128.