Talos Vulnerability Report

TALOS-2025-2209

WWBN AVideo userLogin cancelUri parameter cross-site scripting (XSS) vulnerability

July 24, 2025

CVE Number

CVE-2025-41420

SUMMARY

A cross-site scripting (xss) vulnerability exists in the userLogin cancelUri parameter functionality of WWBN AVideo 14.4 and dev master commit 8a8954ff. A specially crafted HTTP request can lead to arbitrary Javascript execution. An attacker can get a user to visit a webpage to trigger this vulnerability.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

WWBN AVideo 14.4
WWBN AVideo dev master commit 8a8954ff

PRODUCT URLS

AVideo - https://github.com/WWBN/AVideo

CVSSv3 SCORE

9.6 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)

DETAILS

AVideo is a web application, mostly written in PHP, that can be used to create an audio/video sharing website. It allows users to import videos from various sources, encode and share them in various ways. Users can sign up to the website in order to share videos, while viewers have anonymous access to the publicly-available contents. The platform provides plugins for features like live streaming, skins, YouTube uploads and more.

The PHP file view/userLogin.php is vulnerable to an XSS issue due to missing sanitization of the cancelUri parameter:

    ...
    if (!empty($_REQUEST['cancelUri']) && isValidURL($_REQUEST['cancelUri'])) {
    ?>
        <div class="row <?php echo getCSSAnimationClassAndStyle(); ?>">
            <div class="col-md-12">
[1]             <a href="<?php echo $_REQUEST['cancelUri']; ?>" class="btn btn-link btn-block"><i class="fas fa-arrow-left"></i> <?php echo __("Cancel"); ?></a>
            </div>
        </div>
    <?php
    }
    ?>
    ...

The cancelUri parameter is not properly sanitized before being embedded into the page contents [1], resulting in a straightforward reflected cross-site scripting (XSS) vulnerability. An attacker could exploit this flaw to execute malicious actions, such as compromising an administrator account. For instance, an attacker might deceive an administrator into clicking a crafted link that triggers the XSS attack.

Note that in order to trigger this vulnerability, the victim must be logged off from AVideo. To do this it’s enough to request https://localhost/logoff before redirecting the user to userLogin.php page.

TIMELINE

2025-07-08 - Vendor Disclosure
2025-07-08 - Vendor Patch Release
2025-07-24 - Public Release

Credit

Discovered by Claudio Bozzato of Cisco Talos.

TALOS-2025-2208

TALOS-2025-2205

Intelligence Center

Vulnerability Research

Incident Response

Security Resources

Media

Company