CVE-2023-30860
📋 TL;DR
This is a stored cross-site scripting (XSS) vulnerability in WWBN AVideo's meeting scheduling feature. Attackers can inject malicious scripts into meeting rooms that execute when viewed by other users, including administrators. This allows cookie hijacking and potential account takeover of any user who views the compromised meeting room.
💻 Affected Systems
- WWBN AVideo
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete account takeover of administrators and all users, leading to full system compromise, data theft, and potential ransomware deployment.
Likely Case
Session hijacking of users who view malicious meeting rooms, leading to unauthorized access to accounts and potential privilege escalation.
If Mitigated
Limited impact with proper content security policies and session hardening, though XSS could still execute in user context.
🎯 Exploit Status
Exploitation requires authenticated user access but is straightforward once authenticated. Video demonstrations exist showing the attack.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 12.4
Vendor Advisory: https://github.com/WWBN/AVideo/security/advisories/GHSA-xr9h-p2rc-rpqm
Restart Required: No
Instructions:
1. Backup your AVideo installation and database. 2. Download AVideo version 12.4 or later from the official repository. 3. Replace all files with the new version. 4. Run any database migration scripts if provided. 5. Verify the update completed successfully.
🔧 Temporary Workarounds
Input Sanitization Enhancement
allImplement additional input validation and output encoding for meeting room creation fields
Modify meeting scheduling PHP files to add htmlspecialchars() or similar sanitization functions
Content Security Policy
allImplement strict Content Security Policy headers to prevent script execution
Add 'Content-Security-Policy: default-src 'self'; script-src 'self'' to web server configuration
🧯 If You Can't Patch
- Disable meeting scheduling feature entirely in AVideo configuration
- Implement web application firewall (WAF) rules to block XSS payloads in meeting room parameters
🔍 How to Verify
Check if Vulnerable:
Check if AVideo version is below 12.4 by viewing the version in admin panel or checking version.php fileCheck Version:
grep "\$version" /path/to/avideo/version.phpVerify Fix Applied:
Test meeting room creation with XSS payloads like <script>alert('test')</script> and verify they are properly sanitized📡 Detection & Monitoring
Log Indicators:
- Unusual meeting room creation patterns
- Script tags or JavaScript in meeting room parameters in application logs
Network Indicators:
- HTTP requests containing script tags in meeting-related parameters
- Unexpected external resource loads from meeting pages
SIEM Query:
source="avideo_logs" AND ("<script" OR "javascript:" OR "onload=" OR "onerror=") AND path="*meeting*"