CVE-2025-50128

WWBN · AVideo

A cross-site scripting (XSS) vulnerability in the WWBN AVideo 404 error handling functionality allows for arbitrary script injection via the videoNotFound parameter.

Executive summary

A critical cross-site scripting (XSS) vulnerability in WWBN AVideo 14.4 allows for arbitrary script execution during 404 error processing, creating a high risk of session compromise.

Vulnerability

The vulnerability is located within the videoNotFound 404ErrorMsg parameter, which lacks sufficient input sanitization. An unauthenticated attacker can trigger this vulnerability by crafting a malicious request that reflects arbitrary JavaScript back to the user's browser.

Business impact

This flaw carries a CVSS score of 9.6, indicating an extremely high risk. Successful exploitation could lead to unauthorized access to sensitive user data, session hijacking, and the potential for persistent XSS if the payload is cached or stored, resulting in significant reputational and operational damage.

Remediation

Immediate Action: Apply the vendor-provided patch or update to the latest version of AVideo to address the input validation failure in the error handling module.

Proactive Monitoring: Monitor application error logs for recurring 404 errors that contain abnormal, non-standard characters or script-like patterns.

Compensating Controls: Utilize a Web Application Firewall (WAF) to intercept and block requests containing malicious payloads within the videoNotFound error parameter.

Exploitation status

Public Exploit Available: No

Analyst recommendation

The high CVSS score reflects the critical nature of this XSS vulnerability. Organizations running the affected version of AVideo must prioritize updating their infrastructure to mitigate the risk of session hijacking and unauthorized code execution.