Wwbn

AVideo is vulnerable to unauthenticated information disclosure via the `plugin/CloneSite/cloneClient.json.php` endpoint, which echoes the local CloneSite shared secret (`$objClone->myKey`) in HTTP responses without authentication, enabling cross-site database dumps of the configured clone server.

AVideo is vulnerable to unauthenticated cross-site scripting (XSS) due to an incomplete server-side fix for a YPTSocket `autoEvalCodeOnHTML` eval sink, allowing an attacker to bypass the fix by nesting the payload under a top-level `json` field, leading to arbitrary JavaScript execution in any logged-in user's browser session.