CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-28710
https://notcve.org/view.php?id=CVE-2022-28710
22 Aug 2022 — An information disclosure vulnerability exists in the chunkFile functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to arbitrary file read. An attacker can send an HTTP request to trigger this vulnerability. Se presenta una vulnerabilidad de divulgación de información en la funcionalidad chunkFile de WWBN AVideo versiones 11.6 y dev master commit 3f7c0364. Una petición HTTP especialmente diseñada puede conllevar a una lectura arbitraria de archivos. • https://github.com/WWBN/AVideo/blob/e04b1cd7062e16564157a82bae389eedd39fa088/updatedb/updateDb.v12.0.sql • CWE-73: External Control of File Name or Path CWE-610: Externally Controlled Reference to a Resource in Another Sphere •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2022-26842
https://notcve.org/view.php?id=CVE-2022-26842
22 Aug 2022 — A reflected cross-site scripting (xss) vulnerability exists in the charts tab selection functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to arbitrary Javascript execution. An attacker can get an authenticated user to send a crafted HTTP request to trigger this vulnerability. Se presenta una vulnerabilidad de tipo cross-site scripting (xss) reflejado en la funcionalidad charts tab selection de WWBN AVideo versiones 11.6 y dev master commit 3f7c0364. ... • https://github.com/WWBN/AVideo/blob/e04b1cd7062e16564157a82bae389eedd39fa088/updatedb/updateDb.v12.0.sql • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2022-27463
https://notcve.org/view.php?id=CVE-2022-27463
05 Apr 2022 — Open redirect vulnerability in objects/login.json.php in WWBN AVideo through 11.6, allows attackers to arbitrarily redirect users from a crafted url to the login page. Una vulnerabilidad de redireccionamiento abierto en el archivo objects/login.json.php en WWBN Avideo versiones hasta 11.6, permite a atacantes redirigir arbitrariamente a usuarios desde una url diseñada a la página de inicio de sesión • https://avideo.tube • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2022-27462
https://notcve.org/view.php?id=CVE-2022-27462
05 Apr 2022 — Cross Site Scripting (XSS) vulnerability in objects/function.php in function getDeviceID in WWBN AVideo through 11.6, via the yptDevice parameter to view/include/head.php. Una vulnerabilidad de tipo Cross Site Scripting (XSS) en el archivo objects/function.php en la función getDeviceID en WWBN AVideo versiones hasta 11.6, por medio del parámetro yptDevice en el archivo view/include/head.php • https://avideo.tube • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-21286 – Authorization Bypass in AVideo Platform
https://notcve.org/view.php?id=CVE-2021-21286
01 Feb 2021 — AVideo Platform is an open-source Audio and Video platform. It is similar to a self-hosted YouTube. In AVideo Platform before version 10.2 there is an authorization bypass vulnerability which enables an ordinary user to get admin control. This is fixed in version 10.2. All queries now remove the pass hash and the recoverPass hash. • https://avideo.tube • CWE-863: Incorrect Authorization •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2020-23489
https://notcve.org/view.php?id=CVE-2020-23489
16 Nov 2020 — The import.json.php file before 8.9 for Avideo is vulnerable to a File Deletion vulnerability. This allows the deletion of configuration.php, which leads to certain privilege checks not being in place, and therefore a user can escalate privileges to admin. El archivo import.json.php anterior a versión 8.9 para AVideo es susceptible a una vulnerabilidad de eliminación de archivos. Esto permite la eliminación del archivo configuration.php, lo que conduce a que no se lleven a cabo determinadas comprobacio... • https://github.com/ahussam/AVideo3xploit • CWE-862: Missing Authorization •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2020-23490
https://notcve.org/view.php?id=CVE-2020-23490
16 Nov 2020 — There was a local file disclosure vulnerability in AVideo < 8.9 via the proxy streaming. An unauthenticated attacker can exploit this issue to read an arbitrary file on the server. Which could leak database credentials or other sensitive information such as /etc/passwd file. Se presentó una vulnerabilidad de divulgación de archivos locales en AVideo versiones anteriores a 8.9, por medio de la transmisión por proxy. Un atacante no autenticado puede aprovechar este problema para leer un archivo arbitrari... • https://cube01.io/blog/Avideo-Remote-Code-Execution.html •