Listen to this Post
How GHSA-7cqp-7cfv-6c3q Works
This vulnerability resides in the Meet plugin of WWBN/AVideo, an open-source video platform. The core issue is the improper handling of the HTTP `User-Agent` header, which is logged for every participant joining a meeting and later displayed without any sanitization in the administrative participant management panel.
The attack vector is uniquely stealthy: an unauthenticated, anonymous attacker can join any public meeting (where `public = 2` and no password is set) and simply craft a malicious `User-Agent` header containing an HTML/JavaScript payload. The vulnerable code path begins in plugin/Meet/iframe.php, where the `Meet::validatePassword()` function returns `true` for public meetings, allowing the `Meet_join_log::log()` function to be called.
Inside Meet_join_log::log(), the `get_browser_name()` function is invoked. This function, defined in objects/functionsBrowser.php, attempts to classify the browser but returns the raw, original `$_SERVER[‘HTTP_USER_AGENT’]` verbatim for any agent not matching a known browser pattern. This raw string, which can include HTML tags, is then stored directly into the `meet_join_log.user_agent` database column without any sanitization. Unlike other parts of the application that use `xss_esc()` (e.g., Meet_schedule::setTopic()), this setter provides no output encoding, allowing the malicious payload to reach the database unchanged.
On the read side, the stored payload is rendered in the meeting management panel. When a host or administrator opens the participant list, the front-end JavaScript in `plugin/Meet/meet_scheduled.php` fetches data from plugin/Meet/getMeetInfo.json.php. This endpoint, which is gated by `Meet_schedule::canManageSchedule()` (ensuring only admins or the meeting owner can access it), constructs the HTML output. Critically, the `$value[‘user_agent’]` is concatenated directly into the HTML using `echo` without htmlspecialchars(). The returned JSON response is then injected into the DOM using jQuery’s `.html()` method, which parses and executes any embedded HTML/JavaScript. This results in a cross-privilege stored XSS, where an anonymous attacker can execute arbitrary JavaScript in the context of an authenticated administrator’s session, leading to full account takeover.
DailyCVE Form:
Platform: ……. WWBN/AVideo
Version: …….. Commit e8d6119 (prior releases)
Vulnerability :…… Stored XSS (User-Agent)
Severity: ……. Critical (CVSS: 8.8)
date: ………. 2026-06-23 (disclosed)
Prediction: …… Patch expected 2026-07-15
What Undercode Say: Analytics
The following analytics and commands demonstrate the vulnerability’s exploitation and impact.
1. Creating a Public Meeting (as Admin)
curl -sk -H 'Host: <TARGET>' -H "Cookie: $ADMIN_SESSION" -H 'Referer: https://<TARGET>/' \
--data-urlencode 'RoomTopic=Demo' --data-urlencode 'public=2' --data-urlencode 'RoomPasswordNew=' \
'https://<TARGET>/plugin/Meet/saveMeet.json.php'
Response: {"error":false,"meet_schedule_id":1, ...}
2. Injecting the Payload (as Anonymous Attacker)
curl -sk -H 'Host: <TARGET>' -H 'Referer: https://<TARGET>/' \ -A '<img src=x onerror=alert(document.domain)> http' \ 'https://<TARGET>/plugin/Meet/iframe.php?meet_schedule_id=1&meet_password=' Payload stored in meet_join_log.user_agent as: [bash] Other <img src=x onerror=alert(document.domain)> http
3. Triggering the XSS (as Admin)
curl -sk -H 'Host: <TARGET>' -H "Cookie: $ADMIN_SESSION" -H 'Referer: https://<TARGET>/' \ 'https://<TARGET>/plugin/Meet/getMeetInfo.json.php?meet_schedule_id=1' The JSON response contains the unescaped payload in the 'html' field.
Vulnerable Code Snippets
- Write Path (Storing Payload): `plugin/Meet/Objects/Meet_join_log.php:147` & `:177`
– Read Path (Rendering Payload): `plugin/Meet/getMeetInfo.json.php:71`
Exploit:
An attacker can exploit this vulnerability by:
- Identifying a public meeting (or creating one if they have credentials).
- Joining the meeting with a specially crafted `User-Agent` header containing an XSS payload (e.g.,
<img src=x onerror=...>). - Waiting for the meeting host or a site administrator to open the participant management panel.
- The payload executes in the victim’s browser, allowing the attacker to steal session cookies, perform actions on behalf of the admin, or exfiltrate CSRF tokens.
Protection:
To mitigate this vulnerability, the following fixes are recommended:
1. Immediate Fix (Sink Encoding): Apply output encoding at the read path in plugin/Meet/getMeetInfo.json.php:71:
echo '<li class="list-group-item">' . $count . " - " . User::getNameIdentificationById($value['users_id']) . ' <span class="badge">' . $value['created'] . '</span><br><small class="text-muted">' . htmlspecialchars($value['user_agent'], ENT_QUOTES, 'UTF-8') . '</small></li>';
2. Defense in Depth (Source Sanitization): Sanitize the value on write in `Meet_join_log::setUser_agent()` using `xss_esc()` or similar encoding functions, mirroring the protection used in Meet_schedule::setTopic().
3. Generic Protections:
- Disable public meetings or enforce password protection for all meetings.
- Implement a Web Application Firewall (WAF) rule to block suspicious `User-Agent` headers containing HTML tags.
- Regularly update AVideo to the latest patched version once available.
Impact:
- Cross-Privilege Stored XSS: An unauthenticated attacker can execute JavaScript in the browser of a privileged user (host/admin).
- Full Account Takeover: The attacker can steal session cookies, CSRF tokens, and perform arbitrary authenticated actions, including user management, permission changes, and plugin configuration.
- Data Persistence: The malicious payload remains in the database and will execute for every privileged user who views the participant list of the affected meeting, leading to widespread compromise.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
