GHSA-f98p-2hc5-fm7v
Suggest an improvement- Source
- https://github.com/advisories/GHSA-f98p-2hc5-fm7v
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-f98p-2hc5-fm7v/GHSA-f98p-2hc5-fm7v.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-f98p-2hc5-fm7v
- Aliases
- Published
- 2024-05-20T18:43:57Z
- Modified
- 2024-05-20T19:11:53.708123Z
- Severity
-
- 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
- Summary
- AVideo cross-site scripting vulnerability in the view/about.php page
- Details
-
The PHP file view/about.php is vulnerable to an XSS issue due to no sanitization of the user agent.
At line [53], the website gets the user-agent from the headers through $SERVER['HTTPUSER_AGENT'] and echo it without any sanitization.
In PHP, echo a user generated statement, here the User-Agent Header, without any sanitization allows an attacker to inject malicious scripts into the output of a web page, which are then executed in the browser of anyone viewing that page.
- Database specific
{ "github_reviewed": true, "cwe_ids": [ "CWE-79" ], "nvd_published_at": null, "github_reviewed_at": "2024-05-20T18:43:57Z", "severity": "MODERATE" }- References
Affected packages
Packagist / wwbn/avideo
Package
- Name
- wwbn/avideo
- Purl
- pkg:composer/wwbn/avideo