WWBN AVideo is an open source video platform. In versions 29.0 and prior, the YPTSocket plugin's WebSocket server relays attacker-supplied JSON message bodies to every connected client without sanitizing the `msg` or `callback` fields. On the client side, `plugin/YPTSocket/script.js` contains two `eval()` sinks fed directly by those relayed fields (`json.msg.autoEvalCodeOnHTML` at line 568 and `json.callback` at line 95). Because tokens are minted for anonymous visitors and never revalidated beyond decryption, an unauthenticated attacker can broadcast arbitrary JavaScript that executes in the origin of every currently-connected user (including administrators), resulting in universal account takeover, session theft, and privileged action execution. Commit c08694bf6264eb4decceb78c711baee2609b4efd contains a fix.
The WebSocket server of the YPTSocket plugin passes JSON message bodies supplied by the attacker to all connected clients without any sanitization of the `msg` and `callback` fields. On the client side, the `plugin/YPTSocket/script.js` script passes these fields directly to two `eval()` calls (lines 568 and 95), which causes the supplied JavaScript code to be executed in the recipient's browser context. Access tokens are issued to anonymous users and are not re-verified beyond their decryption, meaning that an attacker without any credentials can broadcast a malicious payload to all active sessions.
An attacker can take over accounts of all currently logged-in users (including administrators), steal session tokens, and perform privileged operations on their behalf — leading to complete platform compromise.
Apply the fix contained in commit c08694bf6264eb4decceb78c711baee2609b4efd available in the WWBN/AVideo GitHub repository. Until the update is applied, consider disabling the YPTSocket plugin or restricting access to the WebSocket server at the firewall level.
WWBN AVideo version 29.0 and earlier
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HWwbn Avideo
APPWwbn≤ 29.0
Related vulnerabilities
WWBN AVideo — niekompletna naprawa command injection w test.php
SQL Injection w WWBN AVideo — mechanizm uwierzytelniania RTMP
WWBN AVideo: hasła do filmów przechowywane w bazie jako plaintext
SSRF w WWBN AVideo — brak walidacji parametru URL w saveDVR.json.php
RCE bez uwierzytelnienia w WWBN AVideo — łańcuch podatności w pluginie CloneSite