CVE-2026-33683
Stored XSS in WWBN AVideo User Profile "About" Field
Publication date: 2026-03-23
Last updated on: 2026-03-25
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wwbn | avideo | to 26.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-33683 is a stored Cross-Site Scripting (XSS) vulnerability in the "about" field of user profiles in the WWBN AVideo platform (versions up to and including 26.0). The vulnerability arises due to an incorrect order of sanitization operations combined with output decoding.'}, {'type': 'paragraph', 'content': 'Specifically, the input is first entity-encoded using the function xss_esc(), which converts special HTML characters into their encoded equivalents (e.g., <script> becomes <script>). Then, a function strip_specific_tags() attempts to remove dangerous HTML tags using regex patterns that look for literal tags. However, because the tags are already encoded, the regex does not match and dangerous tags are not removed.'}, {'type': 'paragraph', 'content': 'Later, when the content is displayed on the channel page, html_entity_decode() reverses the encoding, restoring the original malicious HTML tags. The decoded content is then output directly without further escaping, allowing any injected JavaScript to execute in the browsers of visitors to the affected channel page.'}, {'type': 'paragraph', 'content': 'Additionally, the <img> tag is not included in the blacklist of tags to strip, allowing attackers to use payloads like <img src=x onerror=...> to bypass sanitization entirely.'}, {'type': 'paragraph', 'content': 'Any authenticated user can exploit this by injecting arbitrary JavaScript into their "about" field, which executes when other users visit their channel page.'}] [1]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability allows an attacker who is a registered user to inject malicious JavaScript code into their profile\'s "about" field. When other users visit the attacker\'s channel page, the malicious script executes in their browsers.'}, {'type': 'list_item', 'content': "Execution of arbitrary JavaScript in the context of the victim's browser."}, {'type': 'list_item', 'content': 'Potential theft of sensitive information such as cookies, session tokens, or other credentials.'}, {'type': 'list_item', 'content': 'Performing actions on behalf of the victim user without their consent (e.g., CSRF attacks).'}, {'type': 'list_item', 'content': 'Defacement or manipulation of the website content as seen by other users.'}, {'type': 'paragraph', 'content': 'Because the channel page is publicly accessible without authentication, any visitor can be affected by the malicious script.'}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if the user "about" field in WWBN AVideo allows stored Cross-Site Scripting (XSS) payloads to execute when visiting channel pages.'}, {'type': 'paragraph', 'content': 'One practical approach is to test the application by logging in as a registered user and submitting a payload containing JavaScript code or an image tag with an onerror handler in the "about" field via a POST request to the endpoint `objects/userUpdate.json.php`.'}, {'type': 'paragraph', 'content': 'For example, you can use the following curl command to submit a test payload:'}, {'type': 'list_item', 'content': "curl -X POST -d 'about=<script>alert(1)</script>' -b cookies.txt https://your-avideo-site.com/objects/userUpdate.json.php"}, {'type': 'paragraph', 'content': "After submitting the payload, visit the attacker's channel page to see if the script executes, indicating the presence of the vulnerability."}, {'type': 'paragraph', 'content': 'Additionally, inspecting the stored "about" field content in the database or via API responses for unescaped or decoded HTML tags like <script> or <img> with event handlers can help detect the vulnerability.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'Immediate mitigation steps include:'}, {'type': 'list_item', 'content': 'Remove the use of `html_entity_decode()` on output so that the stored entity-encoded "about" content is output directly without decoding, preventing restoration of malicious HTML.'}, {'type': 'list_item', 'content': 'Reverse the sanitization order by first stripping dangerous HTML tags using `strip_specific_tags()` and then encoding special characters with `xss_esc()`. This ensures dangerous tags are removed before encoding.'}, {'type': 'list_item', 'content': 'Use a robust HTML sanitizer such as HTMLPurifier to sanitize the "about" field content, allowing only a safe subset of HTML tags and attributes.'}, {'type': 'paragraph', 'content': 'The best practice is to apply the patch from commit 7cfdc380dae1e56bbb5de581470d9e9957445df0, which integrates HTMLPurifier with a strict configuration to sanitize user input safely before rendering.'}] [1, 2]