Lucene search

[email protected]NVD:CVE-2022-33147

HistoryAug 22, 2022 - 7:15 p.m.

CVE-2022-33147

2022-08-2219:15:10

CWE-89

[email protected]

web.nvd.nist.gov

cve-2022-33147

sql injection

objectypt

avideo 11.6

dev master commit 3f7c0364

http request

avideoencoder

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

41.8%

JSON

A sql injection vulnerability exists in the ObjectYPT functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to a SQL injection. An attacker can send an HTTP request to trigger this vulnerability.This vulnerability exists in the aVideoEncoder functionality which can be used to add new videos, allowing an attacker to inject SQL by manipulating the videoDownloadedLink or duration parameter.

Affected configurations

Nvd

Node

wwbnavideoMatch11.6

VendorProductVersionCPE
wwbnavideo11.6cpe:2.3:a:wwbn:avideo:11.6:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
wwbn	avideo	11.6	cpe:2.3:a:wwbn:avideo:11.6:::::::*

References

github.com/WWBN/AVideo/blob/e04b1cd7062e16564157a82bae389eedd39fa088/updatedb/updateDb.v12.0.sql

talosintelligence.com/vulnerability_reports/TALOS-2022-1551

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

41.8%

JSON

Related for NVD:CVE-2022-33147

osv1 cvelist1 prion1 cve1 talos1 talosblog1