Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2022-32772Cross-site Scripting in Avideo

CWE-79Cross-site Scripting5 documents4 sources
Severity
6.1MEDIUMNVD
EPSS
7.8%
top 8.01%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
1
Wwbn Avideo
Timeline
PublishedAug 22
Latest updateAug 23

Description

A cross-site scripting (xss) vulnerability exists in the footer alerts functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to arbitrary Javascript execution. An attacker can get an authenticated user to send a crafted HTTP request to trigger this vulnerability.This vulnerability arrises from the "msg" parameter which is inserted into the document with insufficient sanitization.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

CVEListV5wwbn/avideodev master commit 3f7c0364
NVDwwbn/avideo11.6

🔴Vulnerability Details

1
GHSA
GHSA-578g-7pcp-xjj4: A cross-site scripting (xss) vulnerability exists in the footer alerts functionality of WWBN AVideo 112022-08-23

💥Exploits & PoCs

1
Nuclei
WWBN AVideo 11.6 - Cross-Site Scripting

🕵️Threat Intelligence

2
Talos
Vulnerability Spotlight: Vulnerabilities in WWBN AVideo web app could lead to command injection, authentication bypass2022-08-16
Talos
Vulnerability Spotlight: Vulnerabilities in WWBN AVideo web app could lead to command injection, authentication bypass2022-08-16