CVSS: 9.6EPSS: 0%CPEs: 1EXPL: 1CVE-2022-26842
https://notcve.org/view.php?id=CVE-2022-26842
A reflected cross-site scripting (xss) vulnerability exists in the charts tab selection functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to arbitrary Javascript execution. An attacker can get an authenticated user to send a crafted HTTP request to trigger this vulnerability. Se presenta una vulnerabilidad de tipo cross-site scripting (xss) reflejado en la funcionalidad charts tab selection de WWBN AVideo versiones 11.6 y dev master commit 3f7c0364. Una petición HTTP especialmente diseñada puede conllevar a una ejecución arbitraria de Javascript. • https://github.com/WWBN/AVideo/blob/e04b1cd7062e16564157a82bae389eedd39fa088/updatedb/updateDb.v12.0.sql https://talosintelligence.com/vulnerability_reports/TALOS-2022-1537 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2022-27463
https://notcve.org/view.php?id=CVE-2022-27463
Open redirect vulnerability in objects/login.json.php in WWBN AVideo through 11.6, allows attackers to arbitrarily redirect users from a crafted url to the login page. Una vulnerabilidad de redireccionamiento abierto en el archivo objects/login.json.php en WWBN Avideo versiones hasta 11.6, permite a atacantes redirigir arbitrariamente a usuarios desde una url diseñada a la página de inicio de sesión • https://avideo.tube https://github.com/WWBN/AVideo/commit/77e9aa6411ff4b97571eb82e587139ec05ff894c • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2022-27462
https://notcve.org/view.php?id=CVE-2022-27462
Cross Site Scripting (XSS) vulnerability in objects/function.php in function getDeviceID in WWBN AVideo through 11.6, via the yptDevice parameter to view/include/head.php. Una vulnerabilidad de tipo Cross Site Scripting (XSS) en el archivo objects/function.php en la función getDeviceID en WWBN AVideo versiones hasta 11.6, por medio del parámetro yptDevice en el archivo view/include/head.php • https://avideo.tube https://github.com/WWBN/AVideo/commit/3722335f808484e6bfb5e71028fedddd942add4a • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-21286 – Authorization Bypass in AVideo Platform
https://notcve.org/view.php?id=CVE-2021-21286
AVideo Platform is an open-source Audio and Video platform. It is similar to a self-hosted YouTube. In AVideo Platform before version 10.2 there is an authorization bypass vulnerability which enables an ordinary user to get admin control. This is fixed in version 10.2. All queries now remove the pass hash and the recoverPass hash. • https://avideo.tube https://github.com/WWBN/AVideo/security/advisories/GHSA-xq8j-fhg5-hr39 • CWE-863: Incorrect Authorization •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2020-23489
https://notcve.org/view.php?id=CVE-2020-23489
The import.json.php file before 8.9 for Avideo is vulnerable to a File Deletion vulnerability. This allows the deletion of configuration.php, which leads to certain privilege checks not being in place, and therefore a user can escalate privileges to admin. El archivo import.json.php anterior a versión 8.9 para AVideo es susceptible a una vulnerabilidad de eliminación de archivos. Esto permite la eliminación del archivo configuration.php, lo que conduce a que no se lleven a cabo determinadas comprobaciones de privilegios y, por lo tanto, un usuario puede escalar los privilegios a administrador • https://cube01.io/blog/Avideo-Remote-Code-Execution.html https://github.com/WWBN/AVideo/commit/ecc5f40470bbafff231133f58db1df70f47bfb33 • CWE-862: Missing Authorization •