CVE-2024-49605 identifies a Cross-Site Request Forgery (CSRF) vulnerability in Stefan Nour's AVChat Video Chat software, specifically versions up to and including 2.2. The vulnerability allows attackers to craft malicious requests that, when executed by an authenticated user, perform unauthorized actions without their consent. This CSRF flaw is compounded by the presence of Stored Cross-Site Scripting (XSS), meaning that injected malicious scripts persist on the server and are served to users, enabling attackers to execute arbitrary JavaScript in victims' browsers. The combination of CSRF and stored XSS can be exploited to hijack user sessions, steal sensitive information, or manipulate chat content and user interactions. The vulnerability affects the integrity and confidentiality of the application and its users. No CVSS score has been assigned yet, and no known exploits are currently reported in the wild. The vulnerability was published on October 20, 2024, and affects all versions up to 2.2. The lack of patches or official fixes at the time of reporting necessitates immediate attention from administrators. The attack requires the victim to be authenticated but does not require additional user interaction beyond visiting a malicious page or link. This vulnerability is particularly critical in environments where AVChat is used for sensitive communications or business operations.

The impact of CVE-2024-49605 is significant for organizations using AVChat Video Chat, especially those relying on it for real-time communication in business, education, or customer support. Successful exploitation can lead to unauthorized actions performed on behalf of legitimate users, compromising the integrity of conversations and potentially allowing attackers to inject persistent malicious scripts. This can result in session hijacking, credential theft, unauthorized data access, and manipulation of chat content. The stored XSS aspect increases the risk of widespread compromise as malicious scripts can affect multiple users over time. Confidentiality is at risk due to potential data leakage, integrity is compromised by unauthorized changes, and availability could be impacted if attackers disrupt chat services. Organizations may face reputational damage, regulatory compliance issues, and operational disruptions. The absence of known exploits in the wild provides a window for remediation, but the vulnerability's nature demands urgent mitigation to prevent future attacks.

To mitigate CVE-2024-49605, organizations should first verify if an official patch or update from Stefan Nour is available and apply it immediately. In the absence of a patch, implement anti-CSRF tokens in all state-changing requests to ensure that requests originate from legitimate users. Employ Content Security Policy (CSP) headers to limit the impact of stored XSS by restricting script execution sources. Conduct thorough input validation and output encoding on all user-supplied data to prevent script injection. Restrict the use of cookies with the SameSite attribute set to 'Strict' or 'Lax' to reduce CSRF risks. Monitor web server and application logs for unusual activity indicative of CSRF or XSS exploitation attempts. Educate users about the risks of clicking on untrusted links while authenticated. Consider deploying Web Application Firewalls (WAFs) with rules targeting CSRF and XSS attack patterns specific to AVChat. Finally, isolate the AVChat deployment in a segmented network zone to limit lateral movement if compromised.