CVE-2023-49864 — External Control of File Name or Path in Avideo

CWE-73 — External Control of File Name or Path CWE-610 — Externally Controlled Reference to a Resource in Another Sphere CWE-476 — NULL Pointer Dereference5 documents4 sources

Severity

6.5MEDIUMNVD

EPSS

0.3%

top 44.45%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Wwbn Avideo

Timeline

PublishedJan 10

Latest updateMay 1

Description

An information disclosure vulnerability exists in the aVideoEncoderReceiveImage.json.php image upload functionality of WWBN AVideo dev master commit 15fed957fb. A specially crafted HTTP request can lead to arbitrary file read.This vulnerability is triggered by the `downloadURL_image` parameter.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

▶CVEListV5wwbn/avideodev master commit 15fed957fb

▶NVDwwbn/avideodev_master_commit_15fed957fb

🔴Vulnerability Details

GHSA

GHSA-wgfw-cpjm-64v6: An information disclosure vulnerability exists in the aVideoEncoderReceiveImage↗2024-01-10

▶

📋Vendor Advisories

Red Hat

kernel: drm/amdkfd: Fix NULL pointer dereference in svm_migrate_to_ram()↗2025-05-01

▶

🕵️Threat Intelligence

Talos

Critical vulnerability in ManageEngine could lead to file creation, dozens of other vulnerabilities disclosed by Talos to start 2024↗2024-01-17

▶

Talos

Critical vulnerability in ManageEngine could lead to file creation, dozens of other vulnerabilities disclosed by Talos to start 2024↗2024-01-17

▶