PT-2022-18434 · Wwbn · Avideo

Published

2022-04-05

Updated

2022-04-12

CVE-2022-27462

CVSS v3.1

6.1

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions WWBN AVideo versions through 11.6

Description The issue is related to a Cross Site Scripting (XSS) vulnerability in the getDeviceID function within objects/function.php. This vulnerability can be exploited via the yptDevice parameter in the view/include/head.php endpoint.

Recommendations For WWBN AVideo versions through 11.6, consider disabling the getDeviceID function until a patch is available. Restrict access to the view/include/head.php endpoint to minimize the risk of exploitation. Avoid using the yptDevice parameter in the affected endpoint until the issue is resolved.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2022-27462

Affected Products

Avideo

PT-2022-18434 · Wwbn · Avideo

CVE-2022-27462

Weakness Enumeration

Related Identifiers

Affected Products

References · 6