PT-2026-25994 · Packagist · Wwbn Avideo
Published
2026-03-17
·
Updated
2026-03-17
·
CVE-2026-33035
CVSS v4.0
5.3
| Vector | AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N |
Summary
AVideo contains a reflected XSS vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript in a victim's browser. User input from a URL parameter flows through PHP's
json encode() into a JavaScript function that renders it via innerHTML, bypassing encoding and achieving full script execution.Root Cause
The vulnerability is caused by two issues working together:
1. Source: Unescaped user input passed to JavaScript (videoNotFound.php)
File:
view/videoNotFound.php line 49if (!empty($ REQUEST['404ErrorMsg'])) {
echo 'avideoAlertInfo(' . json encode($ REQUEST['404ErrorMsg']) . ');';
}PHP's
json encode() with default flags only escapes quotes (" → ") and backslashes. It does NOT escape HTML special characters (<, >, /). The resulting string contains raw HTML tags that are passed directly to JavaScript.2. Sink: innerHTML renders HTML tags as executable DOM (script.js)
File:
view/js/script.jsfunction avideoAlertInfo(msg) { // line ~1891
avideoAlert("", msg, 'info'); // calls ↓
}
function avideoAlert(title, msg, type) { // line ~1270
avideoAlertHTMLText(title, msg, type); // calls ↓
}
function avideoAlertHTMLText(title, msg, type) { // line ~1451
var span = document.createElement("span");
span.innerHTML = msg; // line 1464 — XSS SINK
swal({ content: span });
}innerHTML parses the string as HTML. Any <img>, <svg>, or other HTML tags with event handlers are instantiated as real DOM elements, triggering JavaScript execution.Data Flow
URL parameter (?404ErrorMsg=PAYLOAD)
→ $ REQUEST['404ErrorMsg']
→ json encode() ← does NOT escape < > /
→ avideoAlertInfo()
→ avideoAlert()
→ avideoAlertHTMLText()
→ span.innerHTML = msg ← renders HTML tags, executes JSProof of Concept
https://localhost/view/videoNotFound.php?404ErrorMsg=<img src=x onerror=alert(document.domain)>The page renders:
avideoAlertInfo("<img src=x onerror=alert(document.domain)>");Which flows to
span.innerHTML = "<img src=x onerror=alert(document.domain)>". The browser creates an <img> element, src=x fails to load, onerror fires alert(document.domain).Affected Code
| File | Line | Issue |
|---|---|---|
view/videoNotFound.php | 49 | json encode() does not escape < > for HTML context |
view/js/script.js | 1464 | span.innerHTML = msg renders user input as HTML |
view/js/script.js | 1282 | span.innerHTML = msg in avideoAlertWithCookie() |
view/js/script.js | 1335 | span.innerHTML = (msg,true) in avideoConfirm() |
view/js/script.js | 1358 | span.innerHTML = msg in avideoAlertOnceForceConfirm() |
The
innerHTML sink exists in 4 functions. Any future code that passes user input to avideoAlertInfo(), avideoAlertWarning(), avideoAlertDanger(), or avideoAlertSuccess() will create additional XSS vectors.Remediation
Fix 1: Escape HTML in PHP (source fix)
// view/videoNotFound.php line 49
// BEFORE (vulnerable):
echo 'avideoAlertInfo(' . json encode($ REQUEST['404ErrorMsg']) . ');';
// AFTER (fixed):
echo 'avideoAlertInfo(' . json encode($ REQUEST['404ErrorMsg'], JSON HEX TAG | JSON HEX AMP) . ');';JSON HEX TAG converts < → u003C and > → u003E, preventing HTML injection.Fix 2: Use textContent instead of innerHTML (sink fix, recommended)
// view/js/script.js - all alert functions
// BEFORE (vulnerable):
span.innerHTML = msg;
// AFTER (fixed):
span.textContent = msg;textContent treats the string as plain text — HTML tags are displayed literally, never parsed or executed.Fix 3: Add Content-Security-Policy header (defense in depth)
Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'Impact
- Session hijacking — steal
PHPSESSIDcookie (not HttpOnly by default) - Account takeover — use stolen session to change password or email
- Phishing — inject a realistic login form inside the SweetAlert modal
- Worm propagation — inject self-spreading payloads via comments/messages
- Admin compromise — send crafted link to admin, steal session, gain full control
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Wwbn Avideo