SCA: security update for wwbn/avideo (GHSA-xr9h-p2rc-rpqm)

medium Tenable Cloud Security Plugin ID 420644

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- WWBN AVideo is an open source video platform. In AVideo prior to version 12.4, a normal user can make a
Meeting Schedule where the user can invite another user in that Meeting, but it does not properly sanitize
the malicious characters when creating a Meeting Room. This allows attacker to insert malicious scripts.
Since any USER including the ADMIN can see the meeting room that was created by the attacker this can lead
to cookie hijacking and takeover of any accounts. Version 12.4 contains a patch for this issue.
(CVE-2023-30860)

See Also

https://github.com/advisories/GHSA-xr9h-p2rc-rpqm

Plugin Details

Severity: Medium

ID: 420644

Version: Revision 1.6

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 2.3

Percentile: 9.14

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: Medium

Base Score: 5.5

Temporal Score: 4.3

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:N

CVSS Score Source: CVE-2023-30860

CVSS v3

Risk Factor: Medium

Base Score: 5.4

Temporal Score: 4.9

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 5/1/2023

Vulnerability Publication Date: 5/1/2023

Reference Information

CVE: CVE-2023-30860

cwe: CWE-79