CVE-2026-54458
PHP 취약성 분석 및 완화

개요

CVE-2026-54458 is an unauthenticated stored DOM Cross-Site Scripting (XSS) vulnerability in the YPTSocket plugin of WWBN AVideo, allowing any unauthenticated remote attacker to execute arbitrary JavaScript in the authenticated browser session of every administrator viewing a page that renders the YPTSocket online-users debug panel. The vulnerability was published on June 4, 2026, and affects AVideo version 29.0 and earlier. It carries a CVSS v3.1 base score of 9.6 (Critical) (GitHub Advisory).

기술적 세부 사항

The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), with two unsanitized attacker-controlled parameters — webSocketSelfURI and page_title — being stored and broadcast to all connected clients. The getWebSocket.json.php endpoint issues a signed WebSocket token to any anonymous caller (the only gate is whether the YPTSocket plugin is enabled), and MessageSQLiteV2::onOpen reads webSocketSelfURI and page_title from the WebSocket connection URL query string without validation, persisting both verbatim into an in-memory SQLite connections table. The broadcast helper dbGetUniqueUsers() returns these unescaped values as part of the users_id_online JSON frame sent to every connected client; on the client side, script.js::updateSocketUserCard interpolates page_title into an HTML template literal passed to jQuery's $.append(html), which parses attacker-supplied bytes into live DOM nodes — including <img> tags with inline onerror event handlers — executing arbitrary JavaScript in the admin's authenticated origin (GitHub Advisory, Fix Commit).

영향

Successful exploitation allows an unauthenticated attacker to execute arbitrary JavaScript within the authenticated AVideo origin of every administrator currently viewing a page with the YPTSocket debug panel rendered. The attacker's script can read non-HttpOnly cookies and CSRF tokens from the admin dashboard, issue authenticated requests to any admin-only endpoint, exfiltrate the admin dashboard DOM, and chain into any admin-context mutation — effectively achieving full administrative takeover of the AVideo instance via the victim admin's own session (GitHub Advisory).

착취 단계

  1. Reconnaissance: Identify an AVideo instance with the YPTSocket plugin enabled (default after plugin activation) and confirm at least one administrator is actively browsing the platform.
  2. Obtain anonymous WebSocket token: Send an unauthenticated HTTP GET request to /plugin/YPTSocket/getWebSocket.json.php?webSocketSelfURI=/dashboard?x=1 to receive a signed WebSocket URL in the JSON response — no credentials required.
  3. Craft malicious WebSocket URL: Append the attacker-controlled page_title parameter containing an XSS payload (e.g., <img src=x onerror=...> with String.fromCharCode-encoded strings to avoid quote/backtick characters) to the returned WebSocket URL, along with the webSocketSelfURI parameter.
  4. Connect and inject payload: Open a WebSocket connection to the crafted URL. The server's MessageSQLiteV2::onOpen stores the malicious page_title verbatim in the in-memory SQLite connections table.
  5. Payload broadcast: The server's dbGetUniqueUsers() broadcasts the stored page_title to all connected clients in the next broadcast cycle via the users_id_online JSON frame.
  6. XSS execution in admin context: Every administrator tab rendering the YPTSocket debug panel receives the broadcast; script.js::updateSocketUserCard interpolates the malicious page_title into a jQuery $.append(html) call, causing the browser to parse and execute the attacker's JavaScript within the admin's authenticated AVideo origin, enabling session hijacking, CSRF token theft, or admin action execution (GitHub Advisory).

타협의 징후

  • Network: Unauthenticated HTTP GET requests to /plugin/YPTSocket/getWebSocket.json.php with unusual or external webSocketSelfURI query parameters; anonymous WebSocket connections to the AVideo WebSocket port carrying page_title parameters containing HTML tags or JavaScript-like strings (e.g., <img, onerror, String.fromCharCode).
  • Logs: Web server access logs showing anonymous (no session cookie) requests to getWebSocket.json.php followed immediately by WebSocket upgrade requests with encoded page_title values; repeated WebSocket connections from the same IP with varying payloads.
  • Application Behavior: Administrators reporting unexpected page behavior (e.g., background color changes, tab title modifications) while viewing AVideo pages with the YPTSocket footer loaded; unexpected JavaScript errors or network requests originating from admin browser sessions to external domains.
  • File System: No file-system artifacts expected for this in-memory/DOM-based attack; however, review plugin/YPTSocket/MessageSQLiteV2.php and plugin/YPTSocket/script.js for unauthorized modifications (GitHub Advisory).

완화 및 해결 방법

The fix is available in commit 8be71e5 for the AVideo repository, which validates webSocketSelfURI against FILTER_VALIDATE_URL and a strict ^https?:// regex before accepting it, and replaces the unsafe utf8_encode call on page_title with htmlspecialchars(..., ENT_QUOTES | ENT_HTML5, 'UTF-8') to properly HTML-encode the value before storage. As of the advisory publication date (June 4, 2026), no patched release version beyond the commit has been formally tagged — administrators should apply the patch commit directly or monitor for an updated release. As an immediate workaround, disabling the YPTSocket plugin or setting debugSocket=false in the plugin configuration will prevent the vulnerable debug panel from rendering in admin sessions (Fix Commit, GitHub Advisory).

커뮤니티 반응

The vulnerability was reported by security researcher arkmarta and published by AVideo maintainer DanielnetoDotCom on June 4, 2026, with a detailed advisory and PoC included in the official GitHub Security Advisory. No broader media coverage or notable community commentary beyond the advisory itself has been identified at this time (GitHub Advisory).

추가 자료


근원이 보고서는 AI를 사용하여 생성되었습니다.

관련 PHP 취약점:

CVE ID

심각도

점수

기술

구성 요소 이름

CISA KEV 익스플로잇

수정 사항이 있습니다.

게시된 날짜

CVE-2026-54458CRITICAL9.6
  • PHP logoPHP
  • wwbn/avideo
아니요아니요Jul 15, 2026
CVE-2026-49279HIGH7.7
  • PHP logoPHP
  • wwbn/avideo
아니요아니요Jul 15, 2026
GHSA-xg43-5579-qw6vMEDIUM6.5
  • PHP logoPHP
  • adawolfa/isdoc
아니요Jul 15, 2026
CVE-2026-50182MEDIUM6.1
  • PHP logoPHP
  • wwbn/avideo
아니요아니요Jul 15, 2026
CVE-2026-50183MEDIUM4.7
  • PHP logoPHP
  • wwbn/avideo
아니요아니요Jul 15, 2026

무료 취약성 평가

클라우드 보안 태세를 벤치마킹합니다

9개의 보안 도메인에서 클라우드 보안 관행을 평가하여 위험 수준을 벤치마킹하고 방어의 허점을 식별합니다.

평가 요청

추가 Wiz 리소스

맞춤형 데모 받기

맞춤형 데모 신청하기

"내가 본 최고의 사용자 경험은 클라우드 워크로드에 대한 완전한 가시성을 제공합니다."
데이비드 에슬릭최고정보책임자(CISO)
"Wiz는 클라우드 환경에서 무슨 일이 일어나고 있는지 볼 수 있는 단일 창을 제공합니다."
아담 플레처최고 보안 책임자(CSO)
"우리는 Wiz가 무언가를 중요한 것으로 식별하면 실제로 중요하다는 것을 알고 있습니다."
그렉 포니아토프스키위협 및 취약성 관리 책임자