WWBN AVideo, an open source video platform, suffers from an XSS vulnerability in versions 29.0 and earlier due to incomplete sanitization in the ParsedownSafeWithLinks markdown parser. While the inlineMarkup method was overridden to block raw HTML, the inlineLink() and inlineUrlTag() methods were not overridden, allowing javascript: URLs in markdown link syntax to bypass sanitization. This flaw permits injection of malicious scripts via crafted markdown links. A specific commit has been identified that updates the fix, but no official patch or remediation level has been published yet.

Successful exploitation could allow an attacker with low privileges and requiring user interaction to execute arbitrary JavaScript in the context of the victim's browser, potentially leading to information disclosure or session hijacking. The CVSS score of 5.4 reflects limited impact with user interaction required and partial confidentiality and integrity impact. There are no reports of exploitation in the wild at this time.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Users should monitor WWBN's official channels for the release of an official fix corresponding to the commit identified. Until patched, avoid processing untrusted markdown content or restrict markdown input sources to trusted users only.