Advisories for Composer/Wwbn/Avideo package

The PHP file view/about.php is vulnerable to an XSS issue due to no sanitization of the user agent. At line [53], the website gets the user-agent from the headers through $_SERVER['HTTP_USER_AGENT'] and echo it without any sanitization. In PHP, echo a user generated statement, here the User-Agent Header, without any sanitization allows an attacker to inject malicious scripts into the output of a web page, which are then executed in …

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-f98p-2hc5-fm7v. This link is maintained to preserve external references. Original Description WWBN AVideo 12.4 is vulnerable to Cross Site Scripting (XSS).

An issue in WWBN AVideo v.12.4 through v.14.2 allows a remote attacker to execute arbitrary code via the systemRootPath parameter of the submitIndex.php component.

A recovery notification bypass vulnerability exists in the userRecoverPass.php captcha validation functionality of WWBN AVideo dev master commit 15fed957fb. A specially crafted HTTP request can lead to the silent creation of a recovery pass code for any user.

An insufficient entropy vulnerability exists in the salt generation functionality of WWBN AVideo dev master commit 15fed957fb. A specially crafted series of HTTP requests can lead to privilege escalation. An attacker can gather system information via HTTP requests and brute force the salt offline, leading to forging a legitimate password recovery code for the admin user.

A login attempt restriction bypass vulnerability exists in the checkLoginAttempts functionality of WWBN AVideo dev master commit 15fed957fb. A specially crafted HTTP request can lead to captcha bypass, which can be abused by an attacker to brute force user credentials. An attacker can send a series of HTTP requests to trigger this vulnerability.

WWBN AVideo is an open source video platform. In versions 12.4 and prior, a command injection vulnerability exists at plugin/CloneSite/cloneClient.json.php which allows Remote Code Execution if you CloneSite Plugin. This is a bypass to the fix for CVE-2023-30854, which affects WWBN AVideo up to version 12.3. This issue is patched in commit 1df4af01f80d56ff2c4c43b89d0bac151e7fb6e3.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in wwbn/avideo.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in wwbn/avideo.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in wwbn/avideo.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in wwbn/avideo.

The import.json.php file before 8.9 for Avideo is vulnerable to a File Deletion vulnerability. This allows the deletion of configuration.php, which leads to certain privilege checks not being in place, and therefore a user can escalate privileges to admin.

Open redirect vulnerability in objects/login.json.php in WWBN AVideo through 11.6, allows attackers to arbitrarily redirect users from a crafted url to the login page.