CVE-2025-46410

WWBN · AVideo

A cross-site scripting (XSS) vulnerability exists in the managerPlaylists PlaylistOwnerUsersId parameter of WWBN AVideo, allowing for potential malicious script injection.

Executive summary

A critical cross-site scripting vulnerability in WWBN AVideo 14.4 poses a significant risk of unauthorized script execution within the user's browser context.

Vulnerability

This is a cross-site scripting (XSS) vulnerability located in the managerPlaylists functionality, specifically within the PlaylistOwnerUsersId parameter. Based on the functional area, this likely requires an authenticated session to exploit.

Business impact

Successful exploitation of this XSS vulnerability could allow an attacker to hijack user sessions, perform unauthorized actions on behalf of the user, or deface the application interface. Given the CVSS score of 9.6, this flaw represents a critical risk to data integrity and user confidentiality, potentially leading to full account takeover if administrative sessions are compromised.

Remediation

Immediate Action: Upgrade to the latest version of AVideo provided by the vendor to remediate the vulnerable parameter.

Proactive Monitoring: Review web server and application access logs for unusual patterns or suspicious strings within URL parameters related to playlist management.

Compensating Controls: Deploy a Web Application Firewall (WAF) with strict XSS filtering rules to inspect and block malicious payloads targeting the PlaylistOwnerUsersId parameter.

Exploitation status

Public Exploit Available: Not specified

Analyst recommendation

The high CVSS score of 9.6 underscores the severity of this vulnerability. Organizations using AVideo must prioritize upgrading to the latest patched version to neutralize the risk of unauthorized script execution and potential session compromise.