CVE-2022-30547

CVSS 9.9 CRITICALEPSS 63.7%CWE-22

In short

A flaw in AVideo's file extraction feature allows attackers to escape the intended directory and execute arbitrary commands on the server by sending a specially-crafted request. This is a critical vulnerability that gives attackers full control over the system.

Technical detail

A directory traversal vulnerability in the unzipDirectory function (CWE-22) allows unauthenticated remote attackers to traverse outside the intended extraction directory and achieve arbitrary command execution. The vulnerability is triggered via malicious HTTP requests and affects AVideo 11.6 and the dev master branch.

Summary generated and translated by AI from the official description.

A directory traversal vulnerability exists in the unzipDirectory functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to arbitrary command execution. An attacker can send an HTTP request to trigger this vulnerability.

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Affected products

WWBN · AVideo

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/WWBN/AVideo/blob/e04b1cd7062e16564157a82bae389eedd39fa088/updatedb/updateDb.v12.0.sql https://talosintelligence.com/vulnerability_reports/TALOS-2022-1547