CVE-2023-49862 — External Control of File Name or Path in Avideo

CWE-73 — External Control of File Name or Path CWE-610 — Externally Controlled Reference to a Resource in Another Sphere4 documents3 sources

Severity

6.5MEDIUMNVD

EPSS

0.3%

top 44.45%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Wwbn Avideo

Timeline

PublishedJan 10

Latest updateJan 17

Description

An information disclosure vulnerability exists in the aVideoEncoderReceiveImage.json.php image upload functionality of WWBN AVideo dev master commit 15fed957fb. A specially crafted HTTP request can lead to arbitrary file read.This vulnerability is triggered by the `downloadURL_gifimage` parameter.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages1 packages

▶CVEListV5wwbn/avideodev master commit 15fed957fb

🔴Vulnerability Details

GHSA

GHSA-8vcc-cghx-67pj: An information disclosure vulnerability exists in the aVideoEncoderReceiveImage↗2024-01-10

▶

🕵️Threat Intelligence

Talos

Critical vulnerability in ManageEngine could lead to file creation, dozens of other vulnerabilities disclosed by Talos to start 2024↗2024-01-17

▶

Talos

Critical vulnerability in ManageEngine could lead to file creation, dozens of other vulnerabilities disclosed by Talos to start 2024↗2024-01-17

▶