CVE-2023-32073

AVideo command injection vulnerability

CVSS 8.8 HIGHEPSS 6.5%CWE-77

In short

AVideo has a command injection flaw in its CloneSite plugin that lets attackers run arbitrary code on the server. This bypasses a previous security fix and affects versions 12.4 and earlier.

Technical detail

A command injection vulnerability exists in plugin/CloneSite/cloneClient.json.php that allows unauthenticated remote code execution through improperly sanitized input passed to system commands. The vulnerability is a bypass of CVE-2023-30854's mitigation; successful exploitation requires the CloneSite plugin to be enabled, granting complete server compromise.

Summary generated and translated by AI from the official description.

WWBN AVideo is an open source video platform. In versions 12.4 and prior, a command injection vulnerability exists at `plugin/CloneSite/cloneClient.json.php` which allows Remote Code Execution if you CloneSite Plugin. This is a bypass to the fix for CVE-2023-30854, which affects WWBN AVideo up to version 12.3. This issue is patched in commit 1df4af01f80d56ff2c4c43b89d0bac151e7fb6e3.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected products

WWBN · AVideo

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/WWBN/AVideo/commit/1df4af01f80d56ff2c4c43b89d0bac151e7fb6e3 https://github.com/WWBN/AVideo/security/advisories/GHSA-2mhh-27v7-3vcx