CVE-2023-49599Insufficient Entropy in Avideo

CWE-331Insufficient Entropy5 documents4 sources
Severity
9.8CRITICALNVD
EPSS
0.3%
top 47.54%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Wwbn Avideo
Timeline
PublishedJan 10
Latest updateJan 17

Description

An insufficient entropy vulnerability exists in the salt generation functionality of WWBN AVideo dev master commit 15fed957fb. A specially crafted series of HTTP requests can lead to privilege escalation. An attacker can gather system information via HTTP requests and brute force the salt offline, leading to forging a legitimate password recovery code for the admin user.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

Packagistwwbn/avideo12.4
CVEListV5wwbn/avideodev master commit 15fed957fb
NVDwwbn/avideo15fed957fb

🔴Vulnerability Details

2
GHSA
WWBN AVideo Insufficient Entropy vulnerbaility2024-01-10
OSV
WWBN AVideo Insufficient Entropy vulnerbaility2024-01-10

🕵️Threat Intelligence

2
Talos
Critical vulnerability in ManageEngine could lead to file creation, dozens of other vulnerabilities disclosed by Talos to start 20242024-01-17
Talos
Critical vulnerability in ManageEngine could lead to file creation, dozens of other vulnerabilities disclosed by Talos to start 20242024-01-17