CVE-2026-43878

Name of the Vulnerable Software and Affected Versions AVideo versions prior to 29.1

Description An issue exists where the 'plugin/Meet/iframe.php' endpoint echoes the user and pass query parameters unescaped into a JavaScript double-quoted string literal within a <script> block. This allows an attacker to send a crafted URL to a victim, breaking out of the string to execute arbitrary JavaScript in the victim's browser under the AVideo origin. This can occur without authentication if a public Meet schedule exists on the target. The root cause involves a two-step reflection where the loginFromRequestToGet() function returns raw concatenation of request parameters without sanitization, which is then emitted into a JS string literal without escaping.

Recommendations For versions prior to 29.1, apply JSON encoding at the sink in 'plugin/Meet/iframe.php' to ensure the string remains a valid JS literal. Additionally, update the loginFromRequestToGet() function in 'objects/user.php' to use rawurlencode for the user and pass parameters.