CVE-2022-30534

CVSS 9.9 CRITICALEPSS 74.5%CWE-78

In short

A flaw in WWBN AVideo's file processing feature allows attackers to run any system command by sending a specially-crafted request. This can give an attacker complete control over the server.

Technical detail

OS command injection vulnerability in aVideoEncoder chunkfile functionality (CWE-78) allows unauthenticated remote code execution via specially-crafted HTTP requests. The vulnerable code fails to properly sanitize user input before passing it to system command execution, enabling arbitrary command execution with server privileges.

Summary generated and translated by AI from the official description.

An OS command injection vulnerability exists in the aVideoEncoder chunkfile functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to arbitrary command execution. An attacker can send an HTTP request to trigger this vulnerability.

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Affected products

WWBN · AVideo

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/WWBN/AVideo/blob/e04b1cd7062e16564157a82bae389eedd39fa088/updatedb/updateDb.v12.0.sql https://talosintelligence.com/vulnerability_reports/TALOS-2022-1546