CVE-2023-32073 — Command Injection in Avideo

CWE-77 — Command Injection3 documents3 sources

Severity

8.8HIGHNVD

EPSS

5.6%

top 9.68%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Wwbn Avideo

Timeline

PublishedMay 12

Description

WWBN AVideo is an open source video platform. In versions 12.4 and prior, a command injection vulnerability exists at `plugin/CloneSite/cloneClient.json.php` which allows Remote Code Execution if you CloneSite Plugin. This is a bypass to the fix for CVE-2023-30854, which affects WWBN AVideo up to version 12.3. This issue is patched in commit 1df4af01f80d56ff2c4c43b89d0bac151e7fb6e3.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

▶NVDwwbn/avideo12.4

▶Packagistwwbn/avideo12.4

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

WWBN AVideo command injection vulnerability↗2023-05-12

▶

GHSA

WWBN AVideo command injection vulnerability↗2023-05-12

▶