WWBN AVideo is an open source video platform. In versions up to and including 29.0, objects/notifySubscribers.json.php takes the raw message POST parameter and passes it into sendSiteEmail(), which substitutes it directly into an HTML email template (via str_replace on the {message} placeholder) and renders it with PHPMailer::msgHTML(). There is no HTML sanitization, character escaping, or output encoding on the attacker-controlled message between $_POST['message'] and the rendered email. Any authenticated user with upload permission can therefore broadcast arbitrary HTML — phishing links, tracking pixels, CSS/UI spoofing — to every subscriber on their channel (up to 10,000 recipients per invocation). The email is sent From: the platform's configured contact address and wrapped in the site
Add your gear to cvedb and we'll alert you only when a vendor you run ships something exploited.
Check my exposure →This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.