Security Vulnerability Report
中文
CVE-2026-33296 CVSS 6.1 MEDIUM

CVE-2026-33296

Published: 2026-03-22 17:17:09
Last Modified: 2026-03-24 17:52:46
Source: [email protected]

Description

WWBN AVideo is an open source video platform. Prior to version 26.0, WWBN/AVideo contains an open redirect vulnerability in the login flow where a user-supplied redirectUri parameter is reflected directly into a JavaScript `document.location` assignment without JavaScript-safe encoding. After a user completes the login popup flow, a timer callback executes the redirect using the unvalidated value, sending the victim to an attacker-controlled site. Version 26.0 fixes the issue.

CVSS Details

CVSS Score
6.1
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:* - VULNERABLE
WWBN AVideo < 26.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
<!-- Proof of Concept for CVE-2026-33296 --> <!-- Description: Open Redirect via redirectUri parameter --> <!-- 1. Attacker crafts the malicious URL --> <!-- https://target.com/login?redirectUri=https://attacker.com/phish --> <!-- 2. Victim clicks the link and logs in --> <!-- 3. The vulnerable JavaScript executes the redirect --> <!-- document.location = getParameter('redirectUri'); --> <!-- HTML Example for testing --> <a href="https://target-site.com/login?redirectUri=https://evil.com"> Click here to verify your account (Redirects to evil.com) </a>

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-33296", "sourceIdentifier": "[email protected]", "published": "2026-03-22T17:17:09.420", "lastModified": "2026-03-24T17:52:46.437", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. Prior to version 26.0, WWBN/AVideo contains an open redirect vulnerability in the login flow where a user-supplied redirectUri parameter is reflected directly into a JavaScript `document.location` assignment without JavaScript-safe encoding. After a user completes the login popup flow, a timer callback executes the redirect using the unvalidated value, sending the victim to an attacker-controlled site. Version 26.0 fixes the issue."}, {"lang": "es", "value": "WWBN AVideo es una plataforma de video de código abierto. Antes de la versión 26.0, WWBN/AVideo contiene una vulnerabilidad de redirección abierta en el flujo de inicio de sesión donde un parámetro redirectUri proporcionado por el usuario se refleja directamente en una asignación de JavaScript 'document.location' sin codificación segura para JavaScript. Después de que un usuario completa el flujo de inicio de sesión emergente, una devolución de llamada de temporizador ejecuta la redirección utilizando el valor no validado, enviando a la víctima a un sitio controlado por el atacante. La versión 26.0 corrige el problema."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.1, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-601"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*", "versionEndExcluding": "26.0", "matchCriteriaId": "B468F0CE-E5E7-4607-BD15-B5763C47493E"}]}]}], "references": [{"url": "https://github.com/WWBN/AVideo/commit/68d0fbb19e382fe62e6cc7bd48b51ffa1d9e310e", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-hj5h-5623-gwhw", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-hj5h-5623-gwhw", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.