
Cloud Vulnerability DB
Eine von der Community geführte Datenbank für Schwachstellen
CVE-2026-49279 is a stored Cross-Site Scripting (XSS) vulnerability in WWBN AVideo's WebSocket messaging system, specifically a bypass of a prior incomplete fix (CVE-2026-43874). The vulnerability exists in plugin/YPTSocket/MessageSQLite.php, where the autoEvalCodeOnHTML sanitization only covers the $json['msg'] key but not the $json['json'] key read by msgToResourceId(). It affects AVideo versions up to and including 29.0 (composer package wwbn/avideo). The advisory was published on May 25, 2026, and reviewed on June 4, 2026, with a CVSS v4 base score of 7.7 (High) (Github Advisory, AVideo Advisory).
The root cause is an incomplete sanitization implementation classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). In MessageSQLite.php, lines 268–271 only call unset($json['msg']['autoEvalCodeOnHTML']), stripping the dangerous key from the msg path only. However, msgToResourceId() at lines 361–367 reads from $msg['json'] with higher priority than $msg['msg'], and this path is never sanitized. An authenticated attacker exploits this by placing an autoEvalCodeOnHTML payload inside the json key of a WebSocket message rather than the msg key, bypassing the shallow strip entirely. Notably, sibling files Message.php and MessageSQLiteV2.php correctly apply removeAutoEvalCodeOnHTMLRecursive($json) across all nested paths, but MessageSQLite.php does not call this function at all (Github Advisory, AVideo Commit).
A successful exploit allows an authenticated attacker to execute arbitrary JavaScript in any connected victim's browser session via the WebSocket messaging system. This enables theft of session cookies and authentication tokens, account takeover through session hijacking, and the ability to chain with CSRF to perform admin-level actions on behalf of the victim. The vulnerability affects the default SQLite WebSocket backend configuration, meaning it is present in standard AVideo deployments without special configuration (AVideo Advisory).
wss://TARGET/plugin/YPTSocket/server.php) and obtain the victim's user ID (VICTIM_USER_ID) and a valid RESOURCE_ID.json key (not msg) to bypass sanitization:const ws = new WebSocket('wss://TARGET/plugin/YPTSocket/server.php?token=USER_TOKEN');
ws.onopen = () => {
ws.send(JSON.stringify({
msg: "Hello", // decoy — sanitized path
json: {autoEvalCodeOnHTML: "alert('XSS')"},// payload — unsanitized path
to_users_id: VICTIM_USER_ID,
resourceId: RESOURCE_ID
}));
};MessageSQLite.php strips autoEvalCodeOnHTML only from $json['msg']; the json key passes through unmodified.msgToResourceId() reads $msg['json'] first (higher priority), relaying the unsanitized payload to the victim's WebSocket client.autoEvalCodeOnHTML value, executing the attacker's JavaScript — enabling cookie theft, session hijacking, or further exploitation (AVideo Advisory).wss://TARGET/plugin/YPTSocket/server.php containing both a msg key and a json key with an autoEvalCodeOnHTML field; WebSocket traffic with JavaScript payloads (e.g., alert, document.cookie, fetch) embedded in the json object.json key containing autoEvalCodeOnHTML from non-CLI, non-PHP sources; repeated WebSocket connections from a single authenticated user targeting multiple victim user IDs.The fix is implemented in commit 3e0b3ce by replacing the shallow unset($json['msg']['autoEvalCodeOnHTML']) with a call to $this->removeAutoEvalCodeOnHTMLRecursive($json) in MessageSQLite.php, consistent with the approach already used in Message.php and MessageSQLiteV2.php. Administrators should update to a version of AVideo that includes this commit. No configuration-based workaround is available; upgrading is the only reliable remediation. As an interim measure, restricting access to the WebSocket endpoint to trusted users or disabling the YPTSocket plugin can reduce exposure (AVideo Commit, Github Advisory).
Quelle: Dieser Bericht wurde mithilfe von KI erstellt
Kostenlose Schwachstellenbewertung
Bewerten Sie Ihre Cloud-Sicherheitspraktiken in 9 Sicherheitsbereichen, um Ihr Risikoniveau zu bewerten und Lücken in Ihren Abwehrmaßnahmen zu identifizieren.
Eine personalisierte Demo anfordern
"Die beste Benutzererfahrung, die ich je gesehen habe, bietet vollständige Transparenz für Cloud-Workloads."
"„Wiz bietet eine zentrale Oberfläche, um zu sehen, was in unseren Cloud-Umgebungen vor sich geht.“ "
"„Wir wissen, dass, wenn Wiz etwas als kritisch identifiziert, es auch wirklich kritisch ist.“"