CVE-2022-50949

Name of the Vulnerable Software and Affected Versions Videos sync PDF version 1.7.4

Description An authenticated attacker can inject malicious scripts through the plugin options panel. This occurs due to unsanitized input in the nom, pdf, mp4, webm, and ogg parameters. By using payloads such as autofocus onfocus event handlers, an attacker can execute arbitrary JavaScript when administrators view or edit video settings. This is a stored cross-site scripting issue, where the malicious script is permanently stored on the server and executed in the browser of the victim.

Recommendations As a temporary workaround, restrict access to the plugin options panel or avoid modifying the nom, pdf, mp4, webm, and ogg parameters until a fix is applied. At the moment, there is no information about a newer version that contains a fix for this vulnerability.