GHSA-3MJV-375J-6H92 AVideo: Authenticated Arbitrary File Read in view/update.php

Summary view/update.php reads $POST'updateFile' as a relative path under updatedb/ and passes it to PHP's file for line-by-line execution as part of a database migration. An authenticated administrator can abuse this to read arbitrary text files reachable from the web-server process — especially...

The vulnerability of the update_module.php script in the U.motion builder system allows a perpetrator to execute arbitrary code.

The vulnerability of the updatemodule.php script in the U.motion builder system exists due to insufficient validation of input data. Exploiting this vulnerability allows a malicious actor to execute arbitrary code by sending a specially crafted request to the server using the updatefile parameter...