Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-33683 is a stored Cross-Site Scripting (XSS) vulnerability in the "about" field of user profiles in the WWBN AVideo platform (versions up to and including 26.0). The vulnerability arises due to an incorrect order of sanitization operations combined with output decoding.'}, {'type': 'paragraph', 'content': 'Specifically, the input is first entity-encoded using the function xss_esc(), which converts special HTML characters into their encoded equivalents (e.g., <script> becomes &lt;script&gt;). Then, a function strip_specific_tags() attempts to remove dangerous HTML tags using regex patterns that look for literal tags. However, because the tags are already encoded, the regex does not match and dangerous tags are not removed.'}, {'type': 'paragraph', 'content': 'Later, when the content is displayed on the channel page, html_entity_decode() reverses the encoding, restoring the original malicious HTML tags. The decoded content is then output directly without further escaping, allowing any injected JavaScript to execute in the browsers of visitors to the affected channel page.'}, {'type': 'paragraph', 'content': 'Additionally, the <img> tag is not included in the blacklist of tags to strip, allowing attackers to use payloads like <img src=x onerror=...> to bypass sanitization entirely.'}, {'type': 'paragraph', 'content': 'Any authenticated user can exploit this by injecting arbitrary JavaScript into their "about" field, which executes when other users visit their channel page.'}] [1]

Useful 0 Not Useful 0

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability allows an attacker who is a registered user to inject malicious JavaScript code into their profile\'s "about" field. When other users visit the attacker\'s channel page, the malicious script executes in their browsers.'}, {'type': 'list_item', 'content': "Execution of arbitrary JavaScript in the context of the victim's browser."}, {'type': 'list_item', 'content': 'Potential theft of sensitive information such as cookies, session tokens, or other credentials.'}, {'type': 'list_item', 'content': 'Performing actions on behalf of the victim user without their consent (e.g., CSRF attacks).'}, {'type': 'list_item', 'content': 'Defacement or manipulation of the website content as seen by other users.'}, {'type': 'paragraph', 'content': 'Because the channel page is publicly accessible without authentication, any visitor can be affected by the malicious script.'}] [1]

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if the user "about" field in WWBN AVideo allows stored Cross-Site Scripting (XSS) payloads to execute when visiting channel pages.'}, {'type': 'paragraph', 'content': 'One practical approach is to test the application by logging in as a registered user and submitting a payload containing JavaScript code or an image tag with an onerror handler in the "about" field via a POST request to the endpoint `objects/userUpdate.json.php`.'}, {'type': 'paragraph', 'content': 'For example, you can use the following curl command to submit a test payload:'}, {'type': 'list_item', 'content': "curl -X POST -d 'about=<script>alert(1)</script>' -b cookies.txt https://your-avideo-site.com/objects/userUpdate.json.php"}, {'type': 'paragraph', 'content': "After submitting the payload, visit the attacker's channel page to see if the script executes, indicating the presence of the vulnerability."}, {'type': 'paragraph', 'content': 'Additionally, inspecting the stored "about" field content in the database or via API responses for unescaped or decoded HTML tags like <script> or <img> with event handlers can help detect the vulnerability.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

[{'type': 'paragraph', 'content': 'Immediate mitigation steps include:'}, {'type': 'list_item', 'content': 'Remove the use of `html_entity_decode()` on output so that the stored entity-encoded "about" content is output directly without decoding, preventing restoration of malicious HTML.'}, {'type': 'list_item', 'content': 'Reverse the sanitization order by first stripping dangerous HTML tags using `strip_specific_tags()` and then encoding special characters with `xss_esc()`. This ensures dangerous tags are removed before encoding.'}, {'type': 'list_item', 'content': 'Use a robust HTML sanitizer such as HTMLPurifier to sanitize the "about" field content, allowing only a safe subset of HTML tags and attributes.'}, {'type': 'paragraph', 'content': 'The best practice is to apply the patch from commit 7cfdc380dae1e56bbb5de581470d9e9957445df0, which integrates HTMLPurifier with a strict configuration to sanitize user input safely before rendering.'}] [1, 2]

Useful 0 Not Useful 0