CVE-2022-32572

CVSS 9.9 CRITICALEPSS 22.7%CWE-78

In short

A flaw in WWBN AVideo allows attackers to run arbitrary commands on the server by sending a specially-crafted HTTP request to the wget functionality. This can give attackers complete control over the affected system.

Technical detail

An OS command injection vulnerability exists in the aVideoEncoder wget functionality (CWE-78) affecting WWBN AVideo 11.6 and dev master. Unsanitized user input is passed to system commands, allowing remote attackers to execute arbitrary OS commands via HTTP requests without authentication requirements. The impact is complete system compromise.

Summary generated and translated by AI from the official description.

An os command injection vulnerability exists in the aVideoEncoder wget functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to arbitrary command execution. An attacker can send an HTTP request to trigger this vulnerability.

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Affected products

WWBN · AVideo

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/WWBN/AVideo/blob/e04b1cd7062e16564157a82bae389eedd39fa088/updatedb/updateDb.v12.0.sql https://talosintelligence.com/vulnerability_reports/TALOS-2022-1548