search

WWBN / AVideo

Create Your Own Broadcast Network With AVideo Platform Open-Source. OAVP OVP
https://avideo.tube/AVideo_OpenSource
Other
1.91k stars 972 forks source link

XSS Vulnerability #8976

Closed nazimboudeffa closed 7 months ago

nazimboudeffa commented 7 months ago

Describe the bug An expert in pentesting contacted me on LinkdIn to show me an XSS Vulnerability on my AVideo v11.6 installation on https://bledtube.com

To Reproduce It seems that he uses an external script called Retire.js I was able to reproduce it by going to chrome extenstions and search for retirejs then install it Type the name of my site on chrome and I've got the list of vulnerabilities

Expected behavior It shown in the screenshot

Error Logs It shows a list of Common Vunerability and Exposure

Screenshots Sélection_001

Desktop (please complete the following information):

ktalgerie commented 7 months ago

Merci nazim

DanielnetoDotCom commented 7 months ago

version 11.6 is too old, can you please test it in the latest version 14.3?

also, I think those vulnerabilities are false alerts. can you please show some use cases?

nazimboudeffa commented 7 months ago

I don't find the release of the v14.3

DanielnetoDotCom commented 7 months ago

you must install it using git clone, or make a git pull

nazimboudeffa commented 7 months ago

Ah, okey, thank you, got to test it and be back

DanielnetoDotCom commented 7 months ago

but also, please show real cases, not just the script warnings. I do not think they are true

nazimboudeffa commented 7 months ago

Ok, ok If it's only warning, I prefer to leave it as is until you create a release I will clone the repo and use it in a subdomain and be back to open an other issue if the problem still occures Thank you @DanielnetoDotCom

ktalgerie commented 7 months ago

La version 11.6 est trop vieille, pouvez-vous, s'il vous plaît, la tester dans la dernière version 14.3?

Je pense aussi que ces vulnérabilités sont de fausses alertes. Pourriez-vous, s'il vous plaît, montrer des cas d'utilisation ?

https://github.com/jquery/jquery-ui/security/advisories/GHSA-9gj3-hwp5-pmwc

ktalgerie commented 7 months ago

https://nvd.nist.gov/vuln/detail/CVE-2021-41182

ktalgerie commented 7 months ago

https://github.com/jquery/jquery-ui/security/advisories/GHSA-gpqq-952q-5327

ktalgerie commented 7 months ago

https://nvd.nist.gov/vuln/detail/CVE-2021-41184

ktalgerie commented 7 months ago

https://bugs.jqueryui.com/ticket/15284/

ktalgerie commented 7 months ago

https://nvd.nist.gov/vuln/detail/CVE-2021-41183

nazimboudeffa commented 7 months ago

Oh sorry @ktalgerie I've closed the issue too quickly Is it on the actual version of the repo meaning v14.3 ? So should we reopen it ?

DanielnetoDotCom commented 7 months ago

Yes, it is

But make sure you can actually attack the site

It seems to be a false alert for me

nazimboudeffa commented 7 months ago

Ok, so, I reopen if there is a proof of an attack otherwise it is already closed