CVE-2025-46410 is a critical cross-site scripting (XSS) vulnerability identified in the WWBN AVideo platform, specifically affecting version 14.4 and the development master branch at commit 8a8954ff. The vulnerability resides in the 'managerPlaylists' functionality, particularly in the PlaylistOwnerUsersId parameter. Improper neutralization of input during web page generation allows an attacker to inject arbitrary JavaScript code. This occurs because user-supplied input is not correctly sanitized or encoded before being reflected in the web page output. An attacker can exploit this by crafting a malicious HTTP request containing the payload in the vulnerable parameter and tricking a user into visiting a specially crafted URL. Upon visiting, the injected script executes in the context of the victim's browser, potentially leading to session hijacking, credential theft, unauthorized actions on behalf of the user, or distribution of malware. The vulnerability has a CVSS v3.1 base score of 9.6, indicating critical severity, with attack vector being network accessible, low attack complexity, no privileges required, but requiring user interaction (visiting a malicious link). The scope is changed, meaning the vulnerability can affect resources beyond the vulnerable component. Confidentiality, integrity, and availability impacts are all rated high, reflecting the broad potential damage. No public exploits are currently known in the wild, but the high severity and ease of exploitation make it a significant risk. The lack of available patches at the time of publication increases urgency for mitigation.

For European organizations using WWBN AVideo 14.4 or the affected development versions, this vulnerability poses a substantial risk. AVideo is a video hosting and streaming platform often used by educational institutions, media companies, and enterprises for internal and external content delivery. Exploitation could lead to unauthorized access to user sessions, data leakage, defacement of video content portals, or distribution of malicious scripts to users. This can damage organizational reputation, lead to regulatory non-compliance (especially under GDPR due to potential personal data exposure), and disrupt business operations. The critical nature of the vulnerability means attackers can easily exploit it remotely without authentication, increasing the attack surface. European organizations with public-facing AVideo instances are particularly at risk, as attackers can lure users into visiting malicious URLs. The impact extends to confidentiality (exposure of sensitive user data), integrity (alteration of content or user actions), and availability (potential denial of service through script-based attacks). Given the widespread use of web applications in Europe and strict data protection laws, the consequences of exploitation could include significant financial penalties and loss of user trust.

Immediate mitigation steps include: 1) Applying any available patches or updates from WWBN as soon as they are released. Since no patches were available at publication, organizations should monitor vendor communications closely. 2) Implementing Web Application Firewalls (WAFs) with custom rules to detect and block malicious payloads targeting the PlaylistOwnerUsersId parameter. 3) Employing input validation and output encoding at the application layer to sanitize user inputs, particularly in parameters reflected in web pages. 4) Restricting access to the AVideo management interfaces to trusted networks or VPNs to reduce exposure. 5) Educating users about the risks of clicking on unsolicited links and encouraging the use of security-aware browsing practices. 6) Conducting regular security assessments and penetration testing focused on XSS vulnerabilities. 7) Utilizing Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers. These measures combined can reduce the risk until a vendor patch is applied.