CVE-2026-50182
PHP 취약성 분석 및 완화

개요

CVE-2026-50182 is an unauthenticated reflected Cross-Site Scripting (XSS) vulnerability in the AVideo YouTubeAPI Gallery Pagination feature of WWBN AVideo. The $_GET['search'] query parameter is concatenated without sanitization directly into href attributes of pagination links in plugin/YouTubeAPI/gallerySection.php, allowing any unauthenticated attacker to execute arbitrary JavaScript in a victim's browser by inducing them to follow a crafted URL. All versions up to and including v29.0 of the WWBN/AVideo Composer package are affected; no patched release has been published as of the advisory date. The vulnerability was published on May 28, 2026, and added to the GitHub Advisory Database on June 4, 2026, with a CVSS v3.1 base score of 6.1 (Medium) (GitHub Advisory, AVideo Advisory).

기술적 세부 사항

The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), specifically the absence of htmlspecialchars, urlencode, or any allow-list validation on $_GET['search'] before it is string-interpolated into <a href="..."> elements at lines 67 and 74 of plugin/YouTubeAPI/gallerySection.php. The PHP @ error-suppression operator used (@$_GET['search']) only silences undefined-index warnings and provides no sanitization. Two preconditions must be met: the YouTubeAPI plugin must be enabled with showGallerySection=true (the default), and the fulltext MySQL MATCH(v.title) AGAINST(<search>) query must return at least one result — a condition trivially satisfied by seeding the payload with a common word like video. A secondary amplification occurs because the AVideo Layout plugin (plugin/Layout/Layout.php:611) extracts all inline <script> blocks via regex and consolidates them into a single trailing script block before </body>, effectively lifting the injected payload out of the href attribute context and into a clean executable script block (GitHub Advisory, AVideo Advisory).

영향

Successful exploitation allows an unauthenticated remote attacker to execute arbitrary JavaScript in the victim's browser under the AVideo origin, enabling theft of non-HttpOnly session cookies, credential harvesting, and issuance of authenticated AJAX requests on behalf of the victim. When the victim is an AVideo administrator, the injected script can perform any admin action protected only by cookie-based authentication — including creating users, promoting accounts to admin, modifying site configuration, or installing plugins — effectively escalating a single click on a crafted link into full administrative takeover of the AVideo instance. Availability is not directly impacted, but confidentiality and integrity of both user data and site configuration are at risk (GitHub Advisory, AVideo Advisory).

착취 단계

  1. Reconnaissance: Identify AVideo instances (WWBN/AVideo ≤ v29.0) with the YouTubeAPI plugin enabled and showGallerySection=true (the default configuration). Use search engines or tools like Shodan to locate publicly accessible AVideo deployments.
  2. Verify precondition: Confirm the target has at least one video in its database whose title contains a common word (e.g., "video") to satisfy the MySQL fulltext MATCH(v.title) AGAINST(<search>) gate that controls gallery rendering.
  3. Craft malicious URL: Construct a URL embedding the XSS payload in the search parameter, seeded with a common word to guarantee a fulltext hit, e.g.:
    https://avideo.example/?search=video%22%3E%3Cscript%3Ealert(1337)%3C%2Fscript%3E&page=2
    The payload video"><script>alert(1337)</script> closes the href attribute, closes the <a> tag, and injects a new <script> element.
  4. Deliver to victim: Send the crafted URL to a target victim via phishing email, social media, or any other social engineering channel. No interaction beyond clicking the link is required.
  5. Payload execution: When the victim's browser loads the page, the AVideo Layout plugin's organizeHTML() function extracts the injected <script> block from the href context and places it in a clean executable inline script block before </body>, causing the browser to execute the arbitrary JavaScript under the AVideo origin.
  6. Achieve objective: Replace alert(1337) with a payload that exfiltrates session cookies, performs admin actions (e.g., creating a backdoor admin account), or establishes persistent access — particularly effective if the victim is an authenticated administrator (GitHub Advisory, AVideo Advisory).

타협의 징후

  • Network: HTTP GET requests to the AVideo homepage or gallery pages containing URL-encoded XSS payloads in the search parameter (e.g., %22%3E%3Cscript%3E, "><script>, or similar HTML-breaking sequences); unusual outbound requests from victim browsers to attacker-controlled domains shortly after page load.
  • Logs: Web server access logs showing requests to /?search=... or /page/<n>?pageToken=...&search=... with encoded angle brackets, quote characters, or <script> fragments in the search parameter value; repeated requests from different IPs with identical malicious search payloads (indicating a distributed phishing campaign).
  • Application Logs: AVideo application logs showing fulltext search queries containing tokens like script, alert, onerror, or other JavaScript keywords alongside common words used to satisfy the fulltext gate.
  • Browser/Client Side: Unexpected JavaScript execution or network requests originating from the AVideo page context; session cookie theft evidenced by account takeover or admin actions not initiated by the legitimate user (GitHub Advisory).

완화 및 해결 방법

The fix was committed to the WWBN/AVideo repository (commit f50fc03) and improves URL encoding for pagination links in gallerySection.php by applying proper encoding to the $_GET['search'] value before interpolation. As of the advisory date, no patched release version has been published for the Composer package (affected versions listed as ≤ 29.0 with "Patched versions: None"). Administrators should apply the patch from commit f50fc03 manually, or as a workaround, disable the YouTubeAPI plugin or set showGallerySection=false until an official patched release is available. Additionally, deploying a Web Application Firewall (WAF) rule to block requests with HTML-breaking characters in the search parameter can reduce exposure (GitHub Advisory, Fix Commit).

추가 자료


근원이 보고서는 AI를 사용하여 생성되었습니다.

관련 PHP 취약점:

CVE ID

심각도

점수

기술

구성 요소 이름

CISA KEV 익스플로잇

수정 사항이 있습니다.

게시된 날짜

CVE-2026-54458CRITICAL9.6
  • PHP logoPHP
  • wwbn/avideo
아니요아니요Jul 15, 2026
CVE-2026-49279HIGH7.7
  • PHP logoPHP
  • wwbn/avideo
아니요아니요Jul 15, 2026
GHSA-xg43-5579-qw6vMEDIUM6.5
  • PHP logoPHP
  • adawolfa/isdoc
아니요Jul 15, 2026
CVE-2026-50182MEDIUM6.1
  • PHP logoPHP
  • wwbn/avideo
아니요아니요Jul 15, 2026
CVE-2026-50183MEDIUM4.7
  • PHP logoPHP
  • wwbn/avideo
아니요아니요Jul 15, 2026

무료 취약성 평가

클라우드 보안 태세를 벤치마킹합니다

9개의 보안 도메인에서 클라우드 보안 관행을 평가하여 위험 수준을 벤치마킹하고 방어의 허점을 식별합니다.

평가 요청

추가 Wiz 리소스

맞춤형 데모 받기

맞춤형 데모 신청하기

"내가 본 최고의 사용자 경험은 클라우드 워크로드에 대한 완전한 가시성을 제공합니다."
데이비드 에슬릭최고정보책임자(CISO)
"Wiz는 클라우드 환경에서 무슨 일이 일어나고 있는지 볼 수 있는 단일 창을 제공합니다."
아담 플레처최고 보안 책임자(CSO)
"우리는 Wiz가 무언가를 중요한 것으로 식별하면 실제로 중요하다는 것을 알고 있습니다."
그렉 포니아토프스키위협 및 취약성 관리 책임자