Описание
Duplicate Advisory: AVideo contains Command injection when embedding a video link
Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-pgvh-p3g4-86jw. This link is maintained to preserve external references.
Original Description
Impact:
An attacker could execute remote code on a system running wwbn/avideo
Step to Reproduce:
- Go to the
My Videostab
https://demo.avideo.com/mvideos
- Click "Embed a video link"
Append a command to the url as a query string. eg. ?whoami
then click Save
This issue has been resolved in commit 236228f15
Пакеты
Наименование
wwbn/avideo
composer
Затронутые версииВерсия исправления
< 12.4
12.4
9.6 Critical
CVSS3
Дефекты
CWE-78
CWE-79
9.6 Critical
CVSS3
Дефекты
CWE-78
CWE-79