Login Sign Up

CVE-2023-48728

9.6 CRITICAL
Cross-Site Scripting

📋 TL;DR

This is a stored cross-site scripting (XSS) vulnerability in WWBN AVideo's getOpenGraph videoName functionality that allows attackers to inject malicious JavaScript. When exploited, it enables arbitrary code execution in victims' browsers when they view manipulated content. This affects all users of vulnerable WWBN AVideo installations.

💻 Affected Systems

Products:
  • WWBN AVideo
Versions: 11.6 and dev master commit 3c6bb3ff
Operating Systems: All platforms running AVideo
Default Config Vulnerable: ⚠️ Yes
Notes: All installations using the vulnerable functionality are affected regardless of configuration.

📦 What is this software?

Avideo by Wwbn

View all CVEs affecting Avideo →

Avideo by Wwbn

View all CVEs affecting Avideo →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or install malware on visitors' systems.

🟠

Likely Case

Session hijacking, credential theft, defacement of video pages, or redirection to phishing sites.

🟢

If Mitigated

Limited impact if proper Content Security Policy (CSP) headers are implemented and input validation is enforced.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires user interaction (visiting a malicious page) but the vulnerability itself is unauthenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check vendor for latest patched version

Vendor Advisory: https://github.com/WWBN/AVideo

Restart Required: No

Instructions:

1. Update to the latest version of AVideo
2. Apply vendor-provided patches for the getOpenGraph functionality
3. Verify input sanitization is properly implemented

🔧 Temporary Workarounds

Implement Content Security Policy

all

Add CSP headers to restrict script execution sources

Add to web server config: Content-Security-Policy: default-src 'self'; script-src 'self'

Input Validation Filter

all

Add server-side validation for videoName parameter

Implement input sanitization in getOpenGraph function to strip/escape HTML/JS

🧯 If You Can't Patch

  • Implement WAF rules to block XSS payloads in videoName parameter
  • Disable or restrict the vulnerable functionality if not essential

🔍 How to Verify

Check if Vulnerable:

Test by injecting XSS payload into videoName parameter and checking if it executes

Check Version:

Check AVideo version in admin panel or via version file

Verify Fix Applied:

Test with same XSS payloads to confirm they are properly sanitized

📡 Detection & Monitoring

Log Indicators:

  • Unusual characters in videoName parameter
  • Multiple failed XSS attempts
  • Suspicious referrer headers

Network Indicators:

  • HTTP requests with script tags in parameters
  • Unusual outbound connections after page load

SIEM Query:

web_requests WHERE parameter CONTAINS '<script>' OR parameter CONTAINS 'javascript:'

📊 Metadata

CVE ID: CVE-2023-48728
CVSS v3 Score: 9.6 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
CWE: CWE-79
Published: January 10, 2024
Last Updated: November 4, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-48728, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)