CVE-2026-33499

Name of the Vulnerable Software and Affected Versions AVideo versions up to and including 26.0

Description AVideo is susceptible to a reflected Cross-Site Scripting (XSS) issue. The view/forbiddenPage.php and view/warningPage.php templates directly reflect the $ REQUEST['unlockPassword'] parameter into an HTML <input> tag's attributes without proper output encoding or sanitization. This allows an attacker to craft a malicious URL that injects arbitrary HTML attributes, including JavaScript event handlers, potentially leading to the execution of attacker-controlled JavaScript code in the context of the target domain. The vulnerability exists because the unlockPassword parameter is not filtered by the application's security filters. The issue is present in the forbiddenPage() function within objects/functionsSecurity.php and the getInputPassword() function in objects/functions.php. An attacker can exploit this by sending a crafted URL to a user, and upon clicking the link, the injected JavaScript will execute, potentially enabling session hijacking, account takeover, or phishing attacks. The vulnerable code is located in view/forbiddenPage.php lines 31-35 and view/warningPage.php lines 31-34.

Recommendations Apply htmlspecialchars() output encoding to the reflected value in view/forbiddenPage.php line 33:

$value = htmlspecialchars($ REQUEST['unlockPassword'], ENT QUOTES, 'UTF-8');

Apply htmlspecialchars() output encoding to the reflected value in view/warningPage.php line 32:

$value = htmlspecialchars($ REQUEST['unlockPassword'], ENT QUOTES, 'UTF-8');