CVE-2023-30860

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-30860

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-30860.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2023-30860

Aliases

GHSA-xr9h-p2rc-rpqm

Published

2023-05-08T19:15:12Z

Modified

2024-05-14T12:54:49.998411Z

Severity

5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

WWBN AVideo is an open source video platform. In AVideo prior to version 12.4, a normal user can make a Meeting Schedule where the user can invite another user in that Meeting, but it does not properly sanitize the malicious characters when creating a Meeting Room. This allows attacker to insert malicious scripts. Since any USER including the ADMIN can see the meeting room that was created by the attacker this can lead to cookie hijacking and takeover of any accounts. Version 12.4 contains a patch for this issue.

References

Affected packages

Git / github.com/wwbn/avideo

Affected ranges

Type: GIT
Repo: https://github.com/wwbn/avideo
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

25305ffb07b87798db52536cda0329c988e6dac7

Affected versions

10.*

10.4

10.8

Other

11.*

11.1

11.1.1

11.5

11.6

2.*

2.2

2.4

2.7

3.*

3.4

3.4.1

4.*

4.0

4.0.1

4.0.2

5.*

5.0

6.*

6.5

7.*

7.2

7.3

7.4

7.5

7.6

7.7

7.8

8.*

8.1

8.5

8.6

8.7

8.9

8.9.1