Talos Vulnerability Report

TALOS-2025-2205

WWBN AVideo managerPlaylists PlaylistOwnerUsersId parameter cross-site scripting (XSS) vulnerability

July 24, 2025

CVE Number

CVE-2025-46410

SUMMARY

A cross-site scripting (xss) vulnerability exists in the managerPlaylists PlaylistOwnerUsersId parameter functionality of WWBN AVideo 14.4 and dev master commit 8a8954ff. A specially crafted HTTP request can lead to arbitrary Javascript execution. An attacker can get a user to visit a webpage to trigger this vulnerability.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

WWBN AVideo 14.4
WWBN AVideo dev master commit 8a8954ff

PRODUCT URLS

AVideo - https://github.com/WWBN/AVideo

CVSSv3 SCORE

9.6 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)

DETAILS

AVideo is a web application, mostly written in PHP, that can be used to create an audio/video sharing website. It allows users to import videos from various sources, encode and share them in various ways. Users can sign up to the website in order to share videos, while viewers have anonymous access to the publicly-available contents. The platform provides plugins for features like live streaming, skins, YouTube uploads and more.

The PHP file plugin/PlayLists/managerPlaylists.php is vulnerable to an XSS issue due to missing sanitization of the PlaylistOwnerUsersId parameter:

    ...
    <li class="pull-right ">
        <form class="navbar-form form-inline input-group" role="search" id="searchFormPlaylist" method="get">
            <input type="search" id="searchPlaylist" name="searchPlaylist" placeholder="<?php echo __('Search Playlist'); ?>" class="form-control" value="<?php echo htmlspecialchars($_REQUEST['searchPlaylist'] ?? '', ENT_QUOTES, 'UTF-8'); ?>" autocomplete="off">
[1]         <input type="hidden" name="PlaylistOwnerUsersId" value="<?php echo @$_REQUEST['PlaylistOwnerUsersId']; ?>">
            <span class="input-group-append">
                <button class="btn btn-default btn-outline-secondary border-right-0 border py-2 faa-parent animated-hover" type="submit" id="buttonSearchPlaylist">
                    <i class="fas fa-search faa-shake"></i>
                </button>
            </span>
        </form>
    </li>
    ...

The PlaylistOwnerUsersId parameter is not properly sanitized before being embedded into the page contents [1], resulting in a straightforward reflected cross-site scripting (XSS) vulnerability. An attacker could exploit this flaw to execute malicious actions, such as compromising an administrator account. For instance, an attacker might deceive an administrator into clicking a crafted link that triggers the XSS attack.

TIMELINE

2025-07-08 - Vendor Disclosure
2025-07-08 - Vendor Patch Release
2025-07-24 - Public Release

Credit

Discovered by Claudio Bozzato of Cisco Talos.

TALOS-2025-2209

TALOS-2025-2206

Intelligence Center

Vulnerability Research

Incident Response

Security Resources

Media

Company