CVE-2026-49279
PHP 취약성 분석 및 완화

개요

CVE-2026-49279 is a stored Cross-Site Scripting (XSS) vulnerability in WWBN AVideo's WebSocket messaging system, specifically a bypass of a prior incomplete fix (CVE-2026-43874). The vulnerability exists in plugin/YPTSocket/MessageSQLite.php, where the autoEvalCodeOnHTML sanitization only covers the $json['msg'] key but not the $json['json'] key read by msgToResourceId(). It affects AVideo versions up to and including 29.0 (composer package wwbn/avideo). The advisory was published on May 25, 2026, and reviewed on June 4, 2026, with a CVSS v4 base score of 7.7 (High) (Github Advisory, AVideo Advisory).

기술적 세부 사항

The root cause is an incomplete sanitization implementation classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). In MessageSQLite.php, lines 268–271 only call unset($json['msg']['autoEvalCodeOnHTML']), stripping the dangerous key from the msg path only. However, msgToResourceId() at lines 361–367 reads from $msg['json'] with higher priority than $msg['msg'], and this path is never sanitized. An authenticated attacker exploits this by placing an autoEvalCodeOnHTML payload inside the json key of a WebSocket message rather than the msg key, bypassing the shallow strip entirely. Notably, sibling files Message.php and MessageSQLiteV2.php correctly apply removeAutoEvalCodeOnHTMLRecursive($json) across all nested paths, but MessageSQLite.php does not call this function at all (Github Advisory, AVideo Commit).

영향

A successful exploit allows an authenticated attacker to execute arbitrary JavaScript in any connected victim's browser session via the WebSocket messaging system. This enables theft of session cookies and authentication tokens, account takeover through session hijacking, and the ability to chain with CSRF to perform admin-level actions on behalf of the victim. The vulnerability affects the default SQLite WebSocket backend configuration, meaning it is present in standard AVideo deployments without special configuration (AVideo Advisory).

착취 단계

  1. Authenticate: Obtain a valid user account and authentication token on the target AVideo instance (low-privilege access is sufficient).
  2. Identify target: Determine the WebSocket endpoint URL (wss://TARGET/plugin/YPTSocket/server.php) and obtain the victim's user ID (VICTIM_USER_ID) and a valid RESOURCE_ID.
  3. Craft malicious WebSocket message: Construct a JSON payload placing the XSS code in the json key (not msg) to bypass sanitization:
const ws = new WebSocket('wss://TARGET/plugin/YPTSocket/server.php?token=USER_TOKEN');
ws.onopen = () => {
  ws.send(JSON.stringify({
    msg: "Hello",                              // decoy — sanitized path
    json: {autoEvalCodeOnHTML: "alert('XSS')"},// payload — unsanitized path
    to_users_id: VICTIM_USER_ID,
    resourceId: RESOURCE_ID
  }));
};
  1. Bypass sanitization: The server's MessageSQLite.php strips autoEvalCodeOnHTML only from $json['msg']; the json key passes through unmodified.
  2. Payload delivery: msgToResourceId() reads $msg['json'] first (higher priority), relaying the unsanitized payload to the victim's WebSocket client.
  3. JavaScript execution: The victim's browser evaluates the autoEvalCodeOnHTML value, executing the attacker's JavaScript — enabling cookie theft, session hijacking, or further exploitation (AVideo Advisory).

타협의 징후

  • Network: Unusual WebSocket messages to wss://TARGET/plugin/YPTSocket/server.php containing both a msg key and a json key with an autoEvalCodeOnHTML field; WebSocket traffic with JavaScript payloads (e.g., alert, document.cookie, fetch) embedded in the json object.
  • Logs: AVideo WebSocket server logs showing messages with a json key containing autoEvalCodeOnHTML from non-CLI, non-PHP sources; repeated WebSocket connections from a single authenticated user targeting multiple victim user IDs.
  • File System: No direct file system artifacts expected for this XSS vector, but secondary payloads (e.g., credential harvesters) may be delivered to victim browsers and exfiltrate data to external hosts.
  • Process/Application: Unexpected outbound HTTP requests from victim browsers to attacker-controlled domains following WebSocket message receipt, potentially visible in browser developer tools or proxy logs (AVideo Advisory).

완화 및 해결 방법

The fix is implemented in commit 3e0b3ce by replacing the shallow unset($json['msg']['autoEvalCodeOnHTML']) with a call to $this->removeAutoEvalCodeOnHTMLRecursive($json) in MessageSQLite.php, consistent with the approach already used in Message.php and MessageSQLiteV2.php. Administrators should update to a version of AVideo that includes this commit. No configuration-based workaround is available; upgrading is the only reliable remediation. As an interim measure, restricting access to the WebSocket endpoint to trusted users or disabling the YPTSocket plugin can reduce exposure (AVideo Commit, Github Advisory).

추가 자료


근원이 보고서는 AI를 사용하여 생성되었습니다.

관련 PHP 취약점:

CVE ID

심각도

점수

기술

구성 요소 이름

CISA KEV 익스플로잇

수정 사항이 있습니다.

게시된 날짜

CVE-2026-54458CRITICAL9.6
  • PHP logoPHP
  • wwbn/avideo
아니요아니요Jul 15, 2026
CVE-2026-49279HIGH7.7
  • PHP logoPHP
  • wwbn/avideo
아니요아니요Jul 15, 2026
GHSA-xg43-5579-qw6vMEDIUM6.5
  • PHP logoPHP
  • adawolfa/isdoc
아니요Jul 15, 2026
CVE-2026-50182MEDIUM6.1
  • PHP logoPHP
  • wwbn/avideo
아니요아니요Jul 15, 2026
CVE-2026-50183MEDIUM4.7
  • PHP logoPHP
  • wwbn/avideo
아니요아니요Jul 15, 2026

무료 취약성 평가

클라우드 보안 태세를 벤치마킹합니다

9개의 보안 도메인에서 클라우드 보안 관행을 평가하여 위험 수준을 벤치마킹하고 방어의 허점을 식별합니다.

평가 요청

추가 Wiz 리소스

맞춤형 데모 받기

맞춤형 데모 신청하기

"내가 본 최고의 사용자 경험은 클라우드 워크로드에 대한 완전한 가시성을 제공합니다."
데이비드 에슬릭최고정보책임자(CISO)
"Wiz는 클라우드 환경에서 무슨 일이 일어나고 있는지 볼 수 있는 단일 창을 제공합니다."
아담 플레처최고 보안 책임자(CSO)
"우리는 Wiz가 무언가를 중요한 것으로 식별하면 실제로 중요하다는 것을 알고 있습니다."
그렉 포니아토프스키위협 및 취약성 관리 책임자