CVE-2023-30854
WWBN AVideo vulnerable to OS Command Injection
In short
AVideo, a video platform software, has a flaw where logged-in users can run harmful commands on the server by exploiting a specific webpage feature. This allows attackers to take full control of the affected system.
Technical detail
An authenticated OS Command Injection vulnerability exists in the `/plugin/CloneSite/cloneClient.json.php` endpoint, allowing authenticated users to inject arbitrary OS commands that execute with server privileges. The vulnerability enables Remote Code Execution (RCE) with no additional preconditions beyond valid authentication. Fixed in version 12.4.
Summary generated and translated by AI from the official description.
AVideo is an open source video platform. Prior to version 12.4, an OS Command Injection vulnerability in an authenticated endpoint `/plugin/CloneSite/cloneClient.json.php` allows attackers to achieve Remote Code Execution. This issue is fixed in version 12.4.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected products
WWBN · AVideoWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →