PT-2025-30677 · Wwbn · Avideo
Claudio Bozzato
·
Published
2025-07-24
·
Updated
2025-07-29
·
CVE-2025-41420
CVSS v3.1
9.6
Critical
| Vector | AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
WWBN AVideo versions 14.4 and dev master commit 8a8954ff
Description
A cross-site scripting (xss) vulnerability exists due to the improper handling of the
cancelUri parameter within the userLogin functionality. A specially crafted HTTP request can lead to arbitrary Javascript execution. An attacker can potentially trigger this vulnerability by getting a user to visit a malicious webpage.Recommendations
WWBN AVideo version 14.4: Sanitize or properly encode the
cancelUri parameter to prevent the injection of malicious scripts.
WWBN AVideo dev master commit 8a8954ff: Sanitize or properly encode the cancelUri parameter to prevent the injection of malicious scripts.Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Avideo