Wwbn Avideo vulnerabilities

CVE-2025-34436 [HIGH] CWE-639 CVE-2025-34436: AVideo versions prior to 20.1 allow any authenticated user to upload files into directories belongin AVideo versions prior to 20.1 allow any authenticated user to upload files into directories belonging to other users due to an insecure direct object reference. The upload functionality verifies authentication but does not enforce ownership checks.

CVE-2025-34435 [HIGH] CWE-639 CVE-2025-34435: AVideo versions prior to 20.1 are vulnerable to an insecure direct object reference (IDOR) that allo AVideo versions prior to 20.1 are vulnerable to an insecure direct object reference (IDOR) that allows any authenticated user to delete media files belonging to other users. The affected endpoint validates authentication but fails to verify ownership or edit permissions for the targeted video.

CVE-2025-34437 [HIGH] CWE-639 CVE-2025-34437: AVideo versions prior to 20.1 permit any authenticated user to upload comment images to videos owned AVideo versions prior to 20.1 permit any authenticated user to upload comment images to videos owned by other users. The endpoint validates authentication but omits ownership checks, allowing attackers to perform unauthorized uploads to arbitrary video objects.

CVE-2025-34442 [MEDIUM] CWE-497 CVE-2025-34442: AVideo versions prior to 20.1 disclose absolute filesystem paths via multiple public API endpoints. AVideo versions prior to 20.1 disclose absolute filesystem paths via multiple public API endpoints. Returned metadata includes full server paths to media files, revealing underlying filesystem structure and facilitating more effective attack chains.

CVE-2025-34440 [MEDIUM] CWE-601 CVE-2025-34440: AVideo versions prior to 20.1 contain an open redirect vulnerability caused by insufficient validati AVideo versions prior to 20.1 contain an open redirect vulnerability caused by insufficient validation of the siteRedirectUri parameter during user registration. Attackers can redirect users to external sites, facilitating phishing attacks.

CVE-2025-34439 [MEDIUM] CWE-601 CVE-2025-34439: AVideo versions prior to 20.1 are vulnerable to an open redirect flaw due to missing validation of t AVideo versions prior to 20.1 are vulnerable to an open redirect flaw due to missing validation of the cancelUri parameter during user login. An attacker can craft a link to redirect users to arbitrary external sites, enabling phishing attacks.

CVE-2025-34441 [MEDIUM] CWE-359 CVE-2025-34441: AVideo versions prior to 20.1 expose sensitive user information through an unauthenticated public AP AVideo versions prior to 20.1 expose sensitive user information through an unauthenticated public API endpoint. Responses include emails, usernames, administrative status, and last login times, enabling user enumeration and privacy violations.

CVE-2025-34438 [MEDIUM] CWE-639 CVE-2025-34438: AVideo versions prior to 20.1 contain an insecure direct object reference vulnerability allowing use AVideo versions prior to 20.1 contain an insecure direct object reference vulnerability allowing users with upload permissions to modify the rotation metadata of any video. The endpoint verifies upload capability but fails to enforce ownership or management rights for the targeted video.

CVE-2025-41420 [CRITICAL] CWE-79 CVE-2025-41420: A cross-site scripting (xss) vulnerability exists in the userLogin cancelUri parameter functionality A cross-site scripting (xss) vulnerability exists in the userLogin cancelUri parameter functionality of WWBN AVideo 14.4 and dev master commit 8a8954ff. A specially crafted HTTP request can lead to arbitrary Javascript execution. An attacker can get a user to visit a webpage to trigger this vulnerability.

CVE-2025-36548 [CRITICAL] CWE-79 CVE-2025-36548: A cross-site scripting (xss) vulnerability exists in the LoginWordPress loginForm cancelUri paramete A cross-site scripting (xss) vulnerability exists in the LoginWordPress loginForm cancelUri parameter functionality of WWBN AVideo 14.4 and dev master commit 8a8954ff. A specially crafted HTTP request can lead to arbitrary Javascript execution. An attacker can get a user to visit a webpage to trigger this vulnerability.

CVE-2025-48732 [CRITICAL] CWE-184 CVE-2025-48732: An incomplete blacklist exists in the .htaccess sample of WWBN AVideo 14.4 and dev master commit 8a8 An incomplete blacklist exists in the .htaccess sample of WWBN AVideo 14.4 and dev master commit 8a8954ff. A specially crafted HTTP request can lead to a arbitrary code execution. An attacker can request a .phar file to trigger this vulnerability.

CVE-2025-25214 [HIGH] CWE-362 CVE-2025-25214: A race condition vulnerability exists in the aVideoEncoder.json.php unzip functionality of WWBN AVid A race condition vulnerability exists in the aVideoEncoder.json.php unzip functionality of WWBN AVideo 14.4 and dev master commit 8a8954ff. A series of specially crafted HTTP request can lead to arbitrary code execution.

CVE-2025-50128 [MEDIUM] CWE-79 CVE-2025-50128: A cross-site scripting (xss) vulnerability exists in the videoNotFound 404ErrorMsg parameter functio A cross-site scripting (xss) vulnerability exists in the videoNotFound 404ErrorMsg parameter functionality of WWBN AVideo 14.4 and dev master commit 8a8954ff. A specially crafted HTTP request can lead to arbitrary Javascript execution. An attacker can get a user to visit a webpage to trigger this vulnerability.

CVE-2025-46410 [MEDIUM] CWE-79 CVE-2025-46410: A cross-site scripting (xss) vulnerability exists in the managerPlaylists PlaylistOwnerUsersId param A cross-site scripting (xss) vulnerability exists in the managerPlaylists PlaylistOwnerUsersId parameter functionality of WWBN AVideo 14.4 and dev master commit 8a8954ff. A specially crafted HTTP request can lead to arbitrary Javascript execution. An attacker can get a user to visit a webpage to trigger this vulnerability.

CVE-2025-53084 [MEDIUM] CWE-79 CVE-2025-53084: A cross-site scripting (xss) vulnerability exists in the videosList page parameter functionality of A cross-site scripting (xss) vulnerability exists in the videosList page parameter functionality of WWBN AVideo 14.4 and dev master commit 8a8954ff. A specially crafted HTTP request can lead to arbitrary Javascript execution. An attacker can get a user to visit a webpage to trigger this vulnerability.

CVE-2024-34899 [MEDIUM] CWE-79 CVE-2024-34899: WWBN AVideo 12.4 is vulnerable to Cross Site Scripting (XSS). WWBN AVideo 12.4 is vulnerable to Cross Site Scripting (XSS).

CVE-2024-31819 [CRITICAL] CWE-94 CVE-2024-31819: An issue in WWBN AVideo v.12.4 through v.14.2 allows a remote attacker to execute arbitrary code via An issue in WWBN AVideo v.12.4 through v.14.2 allows a remote attacker to execute arbitrary code via the systemRootPath parameter of the submitIndex.php component.

CVE-2023-49599 [CRITICAL] CWE-331 CVE-2023-49599: An insufficient entropy vulnerability exists in the salt generation functionality of WWBN AVideo dev An insufficient entropy vulnerability exists in the salt generation functionality of WWBN AVideo dev master commit 15fed957fb. A specially crafted series of HTTP requests can lead to privilege escalation. An attacker can gather system information via HTTP requests and brute force the salt offline, leading to forging a legitimate password recovery

CVE-2023-47862 [CRITICAL] CWE-73 CVE-2023-47862: A local file inclusion vulnerability exists in the getLanguageFromBrowser functionality of WWBN AVid A local file inclusion vulnerability exists in the getLanguageFromBrowser functionality of WWBN AVideo dev master commit 15fed957fb. A specially crafted HTTP request can lead to arbitrary code execution. An attacker can send a series of HTTP requests to trigger this vulnerability.

CVE-2023-49715 [HIGH] CWE-434 CVE-2023-49715: A unrestricted php file upload vulnerability exists in the import.json.php temporary copy functional A unrestricted php file upload vulnerability exists in the import.json.php temporary copy functionality of WWBN AVideo dev master commit 15fed957fb. A specially crafted HTTP request can lead to arbitrary code execution when chained with an LFI vulnerability. An attacker can send a series of HTTP requests to trigger this vulnerability.