CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-47862
https://notcve.org/view.php?id=CVE-2023-47862
10 Jan 2024 — A local file inclusion vulnerability exists in the getLanguageFromBrowser functionality of WWBN AVideo dev master commit 15fed957fb. A specially crafted HTTP request can lead to arbitrary code execution. An attacker can send a series of HTTP requests to trigger this vulnerability. Existe una vulnerabilidad de inclusión de archivos local en la funcionalidad getLanguageFromBrowser de la confirmación maestra de desarrollo de WWBN AVideo 15fed957fb. Una solicitud HTTP especialmente manipulada puede provocar la ... • https://talosintelligence.com/vulnerability_reports/TALOS-2023-1886 • CWE-73: External Control of File Name or Path •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-49589
https://notcve.org/view.php?id=CVE-2023-49589
10 Jan 2024 — An insufficient entropy vulnerability exists in the userRecoverPass.php recoverPass generation functionality of WWBN AVideo dev master commit 15fed957fb. A specially crafted HTTP request can lead to an arbitrary user password recovery. An attacker can send an HTTP request to trigger this vulnerability. Existe una vulnerabilidad de entropía insuficiente en la funcionalidad de generación de recoveryPass de userRecoverPass.php de la confirmación maestra de desarrollo de WWBN AVideo 15fed957fb. Una solicitud HT... • https://talosintelligence.com/vulnerability_reports/TALOS-2023-1896 • CWE-640: Weak Password Recovery Mechanism for Forgotten Password •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1CVE-2023-50172
https://notcve.org/view.php?id=CVE-2023-50172
10 Jan 2024 — A recovery notification bypass vulnerability exists in the userRecoverPass.php captcha validation functionality of WWBN AVideo dev master commit 15fed957fb. A specially crafted HTTP request can lead to the silent creation of a recovery pass code for any user. Existe una vulnerabilidad de omisión de notificación de recuperación en la funcionalidad de validación de captcha userRecoverPass.php de la confirmación maestra de desarrollo de WWBN AVideo 15fed957fb. Una solicitud HTTP especialmente manipulada puede ... • https://talosintelligence.com/vulnerability_reports/TALOS-2023-1897 • CWE-640: Weak Password Recovery Mechanism for Forgotten Password •
CVSS: 7.3EPSS: 0%CPEs: 1EXPL: 1CVE-2023-49810
https://notcve.org/view.php?id=CVE-2023-49810
10 Jan 2024 — A login attempt restriction bypass vulnerability exists in the checkLoginAttempts functionality of WWBN AVideo dev master commit 15fed957fb. A specially crafted HTTP request can lead to captcha bypass, which can be abused by an attacker to brute force user credentials. An attacker can send a series of HTTP requests to trigger this vulnerability. Existe una vulnerabilidad de omisión de restricción de intento de inicio de sesión en la funcionalidad checkLoginAttempts de la confirmación maestra de desarrollo d... • https://talosintelligence.com/vulnerability_reports/TALOS-2023-1898 • CWE-307: Improper Restriction of Excessive Authentication Attempts •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-49599
https://notcve.org/view.php?id=CVE-2023-49599
10 Jan 2024 — An insufficient entropy vulnerability exists in the salt generation functionality of WWBN AVideo dev master commit 15fed957fb. A specially crafted series of HTTP requests can lead to privilege escalation. An attacker can gather system information via HTTP requests and brute force the salt offline, leading to forging a legitimate password recovery code for the admin user. Existe una vulnerabilidad de entropía insuficiente en la funcionalidad salt generation de WWBN AVideo dev master commit 15fed957fb. Una se... • https://talosintelligence.com/vulnerability_reports/TALOS-2023-1900 • CWE-331: Insufficient Entropy •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 2CVE-2023-32073 – AVideo command injection vulnerability
https://notcve.org/view.php?id=CVE-2023-32073
12 May 2023 — WWBN AVideo is an open source video platform. In versions 12.4 and prior, a command injection vulnerability exists at `plugin/CloneSite/cloneClient.json.php` which allows Remote Code Execution if you CloneSite Plugin. This is a bypass to the fix for CVE-2023-30854, which affects WWBN AVideo up to version 12.3. This issue is patched in commit 1df4af01f80d56ff2c4c43b89d0bac151e7fb6e3. • https://github.com/jmrcsnchz/CVE-2023-32073 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 8.0EPSS: 0%CPEs: 1EXPL: 2CVE-2023-30860 – https://github.com/WWBN/AVideo/security/advisories/GHSA-xr9h-p2rc-rpqm
https://notcve.org/view.php?id=CVE-2023-30860
08 May 2023 — WWBN AVideo is an open source video platform. In AVideo prior to version 12.4, a normal user can make a Meeting Schedule where the user can invite another user in that Meeting, but it does not properly sanitize the malicious characters when creating a Meeting Room. This allows attacker to insert malicious scripts. Since any USER including the ADMIN can see the meeting room that was created by the attacker this can lead to cookie hijacking and takeover of any accounts. Version 12.4 contains a patch for this ... • https://github.com/WWBN/AVideo/security/advisories/GHSA-xr9h-p2rc-rpqm • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 2CVE-2023-30854 – WWBN AVideo vulnerable to OS Command Injection
https://notcve.org/view.php?id=CVE-2023-30854
28 Apr 2023 — AVideo is an open source video platform. Prior to version 12.4, an OS Command Injection vulnerability in an authenticated endpoint `/plugin/CloneSite/cloneClient.json.php` allows attackers to achieve Remote Code Execution. This issue is fixed in version 12.4. • https://github.com/jmrcsnchz/CVE-2023-30854 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-25314
https://notcve.org/view.php?id=CVE-2023-25314
25 Apr 2023 — Cross Site Scripting (XSS) vulnerability in World Wide Broadcast Network AVideo before 12.4, allows attackers to gain sensitive information via the success parameter to /user. • https://github.com/WWBN/AVideo/commit/2b44dee815b208da85e1dcafa9839391c3de2655 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-25313
https://notcve.org/view.php?id=CVE-2023-25313
25 Apr 2023 — OS injection vulnerability in World Wide Broadcast Network AVideo version before 12.4, allows attackers to execute arbitrary code via the video link field to the Embed a video link feature. • https://github.com/WWBN/AVideo/security/advisories/GHSA-pgvh-p3g4-86jw • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •