CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-49589
https://notcve.org/view.php?id=CVE-2023-49589
An insufficient entropy vulnerability exists in the userRecoverPass.php recoverPass generation functionality of WWBN AVideo dev master commit 15fed957fb. A specially crafted HTTP request can lead to an arbitrary user password recovery. An attacker can send an HTTP request to trigger this vulnerability. Existe una vulnerabilidad de entropía insuficiente en la funcionalidad de generación de recoveryPass de userRecoverPass.php de la confirmación maestra de desarrollo de WWBN AVideo 15fed957fb. Una solicitud HTTP especialmente manipulada puede provocar la recuperación arbitraria de la contraseña de un usuario. • https://talosintelligence.com/vulnerability_reports/TALOS-2023-1896 • CWE-640: Weak Password Recovery Mechanism for Forgotten Password •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1CVE-2023-50172
https://notcve.org/view.php?id=CVE-2023-50172
A recovery notification bypass vulnerability exists in the userRecoverPass.php captcha validation functionality of WWBN AVideo dev master commit 15fed957fb. A specially crafted HTTP request can lead to the silent creation of a recovery pass code for any user. Existe una vulnerabilidad de omisión de notificación de recuperación en la funcionalidad de validación de captcha userRecoverPass.php de la confirmación maestra de desarrollo de WWBN AVideo 15fed957fb. Una solicitud HTTP especialmente manipulada puede dar lugar a la creación silenciosa de un código de acceso de recuperación para cualquier usuario. • https://talosintelligence.com/vulnerability_reports/TALOS-2023-1897 • CWE-640: Weak Password Recovery Mechanism for Forgotten Password •
CVSS: 7.3EPSS: 0%CPEs: 1EXPL: 1CVE-2023-49810
https://notcve.org/view.php?id=CVE-2023-49810
A login attempt restriction bypass vulnerability exists in the checkLoginAttempts functionality of WWBN AVideo dev master commit 15fed957fb. A specially crafted HTTP request can lead to captcha bypass, which can be abused by an attacker to brute force user credentials. An attacker can send a series of HTTP requests to trigger this vulnerability. Existe una vulnerabilidad de omisión de restricción de intento de inicio de sesión en la funcionalidad checkLoginAttempts de la confirmación maestra de desarrollo de WWBN AVideo 15fed957fb. Una solicitud HTTP especialmente manipulada puede provocar la omisión de captcha, que un atacante puede aprovechar para aplicar fuerza bruta a las credenciales de los usuarios. • https://talosintelligence.com/vulnerability_reports/TALOS-2023-1898 • CWE-307: Improper Restriction of Excessive Authentication Attempts •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-49599
https://notcve.org/view.php?id=CVE-2023-49599
An insufficient entropy vulnerability exists in the salt generation functionality of WWBN AVideo dev master commit 15fed957fb. A specially crafted series of HTTP requests can lead to privilege escalation. An attacker can gather system information via HTTP requests and brute force the salt offline, leading to forging a legitimate password recovery code for the admin user. Existe una vulnerabilidad de entropía insuficiente en la funcionalidad salt generation de WWBN AVideo dev master commit 15fed957fb. Una serie de solicitudes HTTP especialmente manipuladas pueden provocar una escalada de privilegios. • https://talosintelligence.com/vulnerability_reports/TALOS-2023-1900 • CWE-331: Insufficient Entropy •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 2CVE-2023-32073 – AVideo command injection vulnerability
https://notcve.org/view.php?id=CVE-2023-32073
WWBN AVideo is an open source video platform. In versions 12.4 and prior, a command injection vulnerability exists at `plugin/CloneSite/cloneClient.json.php` which allows Remote Code Execution if you CloneSite Plugin. This is a bypass to the fix for CVE-2023-30854, which affects WWBN AVideo up to version 12.3. This issue is patched in commit 1df4af01f80d56ff2c4c43b89d0bac151e7fb6e3. • https://github.com/jmrcsnchz/CVE-2023-32073 https://github.com/WWBN/AVideo/commit/1df4af01f80d56ff2c4c43b89d0bac151e7fb6e3 https://github.com/WWBN/AVideo/security/advisories/GHSA-2mhh-27v7-3vcx • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •