WWBN AVideo is an open source video platform. In versions 29.0 and prior, the YPTSocket plugin's WebSocket server relays attacker-supplied JSON message bodies t…

WWBN AVideo versions 29.0 and prior contain a critical vulnerability in the YPTSocket plugin's WebSocket server. The server relays attacker-supplied JSON messages without sanitization, allowing injection into eval() functions on the client side. Unauthenticated attackers can broadcast arbitrary JavaScript code that executes in all connected users' browsers, including administrators. This leads to universal account takeover, session theft, and privileged action execution. The vulnerability affects the msg and callback fields which are processed by eval() sinks in the client-side script.