A Reflected Cross-Site Scripting (XSS) vulnerability has been discovered in PHPVOD v4.0,and is found in /phpvod/module/video/extension/upload/server/view/admin/view.php
Details
The vulnerability arises from improper sanitization of the id parameter in the video upload functionality.
Hebing123
commented
5 months ago
Summary
A Reflected Cross-Site Scripting (XSS) vulnerability has been discovered in PHPVOD v4.0,and is found in
/phpvod/module/video/extension/upload/server/view/admin/view.phpDetails
The vulnerability arises from improper sanitization of the id parameter in the video upload functionality.
User input obtained via phpvod::$app->request->get('id') is directly embedded into the page without proper sanitization or encoding, leading to XSS.
Proof of Concept (POC)
http://192.168.0.10:1020/admin/video/video/add.html?id=%3C/script%3E%3Csvg%20onload=alert(1)%3E