CVE-2023-47861 – A cross-site scripting vulnerability in WWBN AV... (How to Fix)

Q: What is the severity of CVE-2023-47861?

CVE-2023-47861 has a CVSS score of 9.0 (CRITICAL). A cross-site scripting vulnerability in WWBN AVideo's channelBody.php allows attackers to inject malicious JavaScript via user name input. When exploited, this enables arbitrary script execution in victims' browsers. Users of WWBN AVideo 11.6 and certain development versions are affected.

📋 TL;DR

A cross-site scripting vulnerability in WWBN AVideo's channelBody.php allows attackers to inject malicious JavaScript via user name input. When exploited, this enables arbitrary script execution in victims' browsers. Users of WWBN AVideo 11.6 and certain development versions are affected.

💻 Affected Systems

Products:

WWBN AVideo

Versions: 11.6 and dev master commit 15fed957fb

Operating Systems: All platforms running affected AVideo versions

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in default installation when channelBody.php processes user name input.

📦 What is this software?

Avideo by Wwbn

View all CVEs affecting Avideo →

Avideo by Wwbn

View all CVEs affecting Avideo →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers can steal session cookies, perform actions as authenticated users, redirect to malicious sites, or install malware on user systems.

🟠

Likely Case

Session hijacking, credential theft, defacement of user interfaces, or redirection to phishing sites.

🟢

If Mitigated

Limited impact with proper content security policies, input validation, and output encoding in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires user interaction (visiting malicious page) but XSS payloads are simple to craft.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check vendor for latest patched version

Vendor Advisory: https://github.com/WWBN/AVideo

Restart Required: No

Instructions:

1. Update to latest AVideo version. 2. Apply input validation and output encoding fixes to channelBody.php. 3. Review and sanitize all user-controlled inputs.

🔧 Temporary Workarounds

Implement Content Security Policy

all

Add CSP headers to restrict script execution sources

Add 'Content-Security-Policy: default-src 'self'; script-src 'self'' to web server configuration

Input Validation Filter

all

Add server-side validation for user name field

Implement regex validation: /^[a-zA-Z0-9_\-\.@]+$/ for usernames

🧯 If You Can't Patch

Implement WAF rules to block XSS payloads in user name parameters
Disable or restrict access to channelBody.php functionality if not essential

🔍 How to Verify

Check if Vulnerable:

Test by submitting <script>alert('XSS')</script> as username parameter to channelBody.php and checking if script executes

Check Version:

Check AVideo version in admin panel or review source code version markers

Verify Fix Applied:

Verify input validation prevents script tags and output encoding is properly applied

📡 Detection & Monitoring

Log Indicators:

Unusual script tags or JavaScript in username fields
Multiple failed validation attempts on user input

Network Indicators:

HTTP requests with script tags in parameters
Unusual redirects from AVideo pages

SIEM Query:

source="web_logs" AND (uri="*channelBody.php*" AND (param="*<script>*" OR param="*javascript:*"))

📊 Metadata

CVE ID: CVE-2023-47861

CVSS v3 Score: 9.0 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

CWE: CWE-79

Published: January 10, 2024

Last Updated: November 4, 2025

🔗 References

https://talosintelligence.com/vulnerability_reports/TALOS-2023-1884 Exploit,Third Party Advisory
https://talosintelligence.com/vulnerability_reports/TALOS-2023-1884 Exploit,Third Party Advisory
https://www.talosintelligence.com/vulnerability_reports/TALOS-2023-1884

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-47861, you might also want to check these: