Lucene search
K

11 matches found

NVD
NVD
added 2026/05/29 2:16 p.m.10 views

CVE-2026-45731

WWBN AVideo is an open source video platform. In 29.0 and earlier, view/update.php reads $POST'updateFile' as a relative path under updatedb/ and passes it to PHP's file for line-by-line execution as part of a database migration. An authenticated administrator can abuse this to read arbitrary tex...

6.9CVSS0.00469EPSS
Exploits1References1
ATTACKERKB
ATTACKERKB
added 2026/05/29 1:5 p.m.8 views

CVE-2026-45731

WWBN AVideo is an open source video platform. In 29.0 and earlier, view/update.php reads $POST'updateFile' as a relative path under updatedb/ and passes it to PHP's file for line-by-line execution as part of a database migration. An authenticated administrator can abuse this to read arbitrary tex...

6.9CVSS6AI score0.00469EPSS
Exploits1References2Affected Software1
CNNVD
CNNVD
added 2026/05/29 12:0 a.m.9 views

WWBN AVideo 安全漏洞

WWBN AVideo is a video platform building system written in PHP, developed by the WWBN team. Versions of WWBN AVideo prior to 29.0 contained security vulnerabilities. These vulnerabilities stemmed from the use of the view/update.php script, which read $POSTupdateFile as a relative path under the...

6.9CVSS5.8AI score0.00469EPSS
Exploits1References1
Snyk
Snyk
added 2026/05/18 7:1 p.m.8 views

Directory Traversal

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Directory Traversal via the updateFile parameter in the view/update.php process. An attacker can access arbitrary files on the server by supplying crafted path...

6.9CVSS6.3AI score0.00469EPSS
Exploits1References2
Github Security Blog
Github Security Blog
added 2026/05/18 7:1 p.m.13 views

AVideo: Authenticated Arbitrary File Read in view/update.php

Summary view/update.php reads $POST'updateFile' as a relative path under updatedb/ and passes it to PHP's file for line-by-line execution as part of a database migration. An authenticated administrator can abuse this to read arbitrary text files reachable from the web-server process — especially...

6.9CVSS6.1AI score0.00469EPSS
Exploits1References3Affected Software1
NVD
NVD
added 2023/09/04 11:15 a.m.19 views

CVE-2023-4615

This vulnerability allows remote attackers to disclose sensitive information on affected installations of LG LED Assistant. Authentication is not required to exploit this vulnerability. The specific flaw exists within the /api/download/updateFile endpoint. The issue results from the lack of prope...

7.5CVSS7.3AI score0.01251EPSS
Exploits0References2
OSV
OSV
added 2023/09/04 11:15 a.m.4 views

CVE-2023-4615

This vulnerability allows remote attackers to disclose sensitive information on affected installations of LG LED Assistant. Authentication is not required to exploit this vulnerability. The specific flaw exists within the /api/download/updateFile endpoint. The issue results from the lack of prope...

7.5CVSS5.7AI score0.01251EPSS
Exploits0References2
Zero Day Initiative
Zero Day Initiative
added 2023/08/25 12:0 a.m.32 views

LG LED Assistant updateFile Directory Traversal Information Disclosure Vulnerability

This vulnerability allows remote attackers to disclose sensitive information on affected installations of LG LED Assistant. Authentication is not required to exploit this vulnerability. The specific flaw exists within the /api/download/updateFile endpoint. The issue results from the lack of prope...

7.5CVSS6.1AI score
Exploits0References1
OSV
OSV
added 2020/08/24 3:15 p.m.3 views

CVE-2020-19891

DBHcms v1.2.0 has an Arbitrary file write vulnerability in dbhcms\mod\mod.editor.php $POST'updatefile' is filename and $POST'tinymcecontent' is file content, there is no filter function for security. A remote authenticated admin user can exploit this vulnerability to get a webshell...

7.2CVSS7.1AI score0.0141EPSS
Exploits1References1
Cvelist
Cvelist
added 2020/01/24 9:57 p.m.26 views

CVE-2014-9625

The GetUpdateFile function in misc/update.c in the Updater in VideoLAN VLC media player before 2.1.6 performs an incorrect cast operation from a 64-bit integer to a 32-bit integer, which allows remote attackers to conduct buffer overflow attacks and execute arbitrary code via a crafted update...

7.9AI score0.02385EPSS
Exploits0References3
NVD
NVD
added 2011/06/08 10:36 a.m.12 views

CVE-2011-1584

The updateFile function in inc/core/class.dc.media.php in the Media Manager in Dotclear before 2.2.3 does not properly restrict pathnames, which allows remote authenticated users to upload and execute arbitrary PHP code via the mediapath or mediafile parameter. NOTE: some of these details are...

6.5CVSS7.2AI score0.01691EPSS
Exploits1References9
Rows per page
Query Builder