WWBN AVideo is an open-source video platform that prior to version 21.0 allowed Markdown in video comments using Parsedown v1.7.4 without enabling Safe Mode. This configuration fails to properly sanitize Markdown links, permitting 'javascript:' URI schemes to be rendered as clickable links. An authenticated attacker with low privileges can post comments containing malicious JavaScript payloads embedded in these links. When other users click the links, the JavaScript executes in their browsers, enabling persistent cross-site scripting (XSS) attacks. The consequences include session hijacking, privilege escalation (potentially leading to admin account takeover), and data exfiltration. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). The CVSS 4.0 base score is 5.1 (medium severity), reflecting network attack vector, low attack complexity, no privileges required beyond low-level authentication, and user interaction needed. The vendor addressed the issue in version 21.0 by enabling Parsedown Safe Mode and improving URI scheme validation to block unsafe schemes like 'javascript:'. No known exploits are reported in the wild yet. Workarounds include validating and blocking unsafe URI schemes before rendering Markdown and enabling Safe Mode in Parsedown to prevent unsafe link rendering.

This vulnerability allows attackers to execute persistent XSS attacks within the AVideo platform, potentially compromising the confidentiality and integrity of user sessions and data. Exploitation can lead to session hijacking, allowing attackers to impersonate victims, escalate privileges to gain administrative control, and exfiltrate sensitive information. For organizations using AVideo, this can result in unauthorized access to video content, user data breaches, defacement, and loss of user trust. Since the attack requires user interaction (clicking a malicious link), social engineering is a key factor. The scope includes all users interacting with comments on affected AVideo instances, which could be significant for platforms with large user bases. The medium CVSS score reflects moderate risk but the potential for serious impact if exploited in environments with sensitive data or high-value targets.

Organizations should immediately upgrade WWBN AVideo to version 21.0 or later, where the vulnerability is fixed. Until patching is possible, implement strict input validation to block unsafe URI schemes such as 'javascript:' in Markdown comments. Enable Parsedown Safe Mode to enforce safer Markdown rendering. Additionally, consider sanitizing user-generated content with robust libraries that whitelist safe HTML and URI schemes. Educate users to avoid clicking suspicious links in comments. Implement Content Security Policy (CSP) headers to restrict script execution sources and reduce XSS impact. Monitor logs for unusual comment activity or repeated failed attempts to post malicious content. Regularly audit and update third-party libraries like Parsedown to their latest secure versions. Finally, restrict comment posting privileges to trusted users if feasible to reduce attack surface.