Описание
Cross site scripting (XSS) in wwbn/avideo
Description:
While making an account in demo.avideo.com I found a parameter "?success=" which did not sanitize any symbol character properly which leads to XSS attack.
Impact:
Since there's an Admin account on demo.avideo.com attacker can use this attack to Takeover the admin's account
Step to Reproduce:
- Click the link below
https://demo.avideo.com/user?success="><img src=x onerror=alert(document.cookie)>
- Then XSS will be executed
Пакеты
Наименование
wwbn/avideo
composer
Затронутые версииВерсия исправления
< 12.4
12.4
Дефекты
CWE-79
Дефекты
CWE-79