cbcvebase.
CVE-2023-48728
published 2024-01-10

CVE-2023-48728: A cross-site scripting (xss) vulnerability exists in the functiongetOpenGraph videoName functionality of WWBN AVideo 11.6 and dev master commit 3c6bb3ff. A…

PriorityP278medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
2.27%
80.9th percentile
A cross-site scripting (xss) vulnerability exists in the functiongetOpenGraph videoName functionality of WWBN AVideo 11.6 and dev master commit 3c6bb3ff. A specially crafted HTTP request can lead to arbitrary Javascript execution. An attacker can get a user to visit a webpage to trigger this vulnerability.

Affected

3 ranges
VendorProductVersion rangeFixed in
wwbnavideo
wwbnavideo
wwbnavideo

Detection & IOCsextracted from sources · hover to see the quote

url/objects/functiongetOpenGraph.php?videoName=123+-->alert(document.domain)
path/objects/functiongetOpenGraph.php
  • Look for GET requests to /objects/functiongetOpenGraph.php with a crafted videoName parameter containing XSS payload (e.g. --> or script injection)
  • Response body contains both the injected payload string 'alert(document.domain)' and the string 'OpenGraph no video' when exploitation is attempted
  • HTTP response status code is 200 or 500 and Content-Type header contains text/html for the vulnerable endpoint
  • Shodan query 'html:"AVideo"' can be used to identify exposed AVideo instances potentially vulnerable to this CVE
  • ·Vulnerability affects WWBN AVideo version 11.6 and dev master commit 3c6bb3ff specifically; other versions may not be vulnerable
  • ·This is a reflected (not stored) XSS; exploitation requires a user to visit a specially crafted URL, limiting automated detection to network/proxy inspection of outbound requests

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vulncheck9.6CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.