Description
WWBN AVideo is an open source video platform. In versions up to and including 29.0, an incomplete fix for AVideo's `test.php` adds `escapeshellarg` for wget but leaves the `file_get_contents` and `curl` code paths unsanitized, and the URL validation regex `/^http/` accepts strings like `httpevil[.]com`. Commit 78bccae74634ead68aa6528d631c9ec4fd7aa536 contains an updated fix.
CVSS breakdown
CVSS 3.1
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
Low
Availability
None
Affected products
- WWBN / AVideo<= 29.0 – <= 29.0
References
- VENDOR_ADVISORYhttps://github.com/WWBN/AVideo/security/advisories/GHSA-pq8p-wc4f-vg7j
- VENDOR_ADVISORYhttps://github.com/WWBN/AVideo/security/advisories/GHSA-3fpm-8rjr-v5mc
- PATCHhttps://github.com/WWBN/AVideo/commit/1e6cf03e93b5a5318204b010ea28440b0d9a5ab3
- PATCHhttps://github.com/WWBN/AVideo/commit/78bccae74634ead68aa6528d631c9ec4fd7aa536