← back
CVE-2022-28710

CVE-2022-28710

CVSS 6.5 MEDIUMEPSS 2.3%CWE-73
In short

A flaw in WWBN AVideo's file handling allows attackers to read arbitrary files from the server by sending specially-crafted HTTP requests. This exposes sensitive data like configuration files and private information.

Technical detail

CWE-73 (External Control of File Name or Path) exists in the chunkFile functionality, allowing path traversal attacks. An unauthenticated attacker can craft HTTP requests to access files outside intended directories, resulting in information disclosure of sensitive server data.

Summary generated and translated by AI from the official description.
An information disclosure vulnerability exists in the chunkFile functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to arbitrary file read. An attacker can send an HTTP request to trigger this vulnerability.
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Affected products
WWBN · AVideo

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/WWBN/AVideo/blob/e04b1cd7062e16564157a82bae389eedd39fa088/updatedb/updateDb.v12.0.sqlhttps://talosintelligence.com/vulnerability_reports/TALOS-2022-1550