PT-2021-16826 · Unknown · Avideo/Youphptube
Published
2021-11-01
·
Updated
2024-02-14
·
CVE-2021-25878
CVSS v3.1
6.1
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
AVideo/YouPHPTube versions 10.0 and prior
Description
The issue affects AVideo/YouPHPTube, allowing a remote attacker to steal administrators' session cookies or perform actions as an administrator due to multiple reflected Cross Scripting vulnerabilities. This is achieved via the
videoName parameter.Recommendations
For versions 10.0 and prior, consider disabling the
videoName parameter in the affected API endpoint until a patch is available. Restrict access to administrative functions to minimize the risk of exploitation. Avoid using the videoName parameter until the issue is resolved.Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Avideo/Youphptube