GHSA-pgvh-p3g4-86jw

Опубликовано: 02 фев. 2023

Источник: github

Github: Прошло ревью

CVSS3: 9.6

Описание

AVideo contains Command injection when embedding a video link

Impact:

An attacker could execute remote code on a system running wwbn/avideo

Step to Reproduce:

Go to the My Videos tab

https://demo.avideo.com/mvideos

Click "Embed a video link"

Append a command to the url as a query string. eg. ?whoami

then click Save

This issue has been resolved in commit 236228f15

Ссылки

Пакеты

Наименование

wwbn/avideo

composer

Затронутые версииВерсия исправления

< 12.4

12.4

EPSS

Процентиль: 84%

0.02243

Низкий

9.6 Critical

CVSS3

CVE ID

CVE-2023-25313

Дефекты

CWE-79

Связанные уязвимости

CVE-2023-25313

CVSS3: 9.8

nvd

почти 3 года назад

OS injection vulnerability in World Wide Broadcast Network AVideo version before 12.4, allows attackers to execute arbitrary code via the video link field to the Embed a video link feature.

EPSS

Процентиль: 84%

0.02243

Низкий

9.6 Critical

CVSS3

CVE ID

CVE-2023-25313

Дефекты

CWE-79