443 matches found
WWBN AVideo 11.6 - Cross-Site Scripting
WWBN AVideo 11.6 contains a cross-site scripting vulnerability in the footer alerts functionality via the 'msg' parameter, which is inserted into the document with insufficient sanitization. id: CVE-2022-32772 info: name: WWBN AVideo 11.6 - Cross-Site Scripting author: arafatansari severity: medi...
WWBN AVideo 11.6 - Cross-Site Scripting
WWBN AVideo 11.6 contains a cross-site scripting vulnerability in the footer alerts functionality via the 'toast' parameter, which is inserted into the document with insufficient sanitization. id: CVE-2022-32770 info: name: WWBN AVideo 11.6 - Cross-Site Scripting author: arafatansari severity:...
WWBN AVideo 11.6 - Cross-Site Scripting
WWBN AVideo 11.6 contains a cross-site scripting vulnerability in the footer alerts functionality via the 'success' parameter, which is inserted into the document with insufficient sanitization. id: CVE-2022-32771 info: name: WWBN AVideo 11.6 - Cross-Site Scripting author: arafatansari severity:...
WWBN AVideo 11.6 - Cross-Site Scripting
A reflected XSS vulnerability exists in the functiongetOpenGraph videoName functionality of WWBN AVideo 11.6 and dev master commit 3c6bb3ff, allowing arbitrary Javascript execution. id: CVE-2023-48728 info: name: WWBN AVideo 11.6 - Cross-Site Scripting author: ritikchaddha severity: medium...
CVE-2026-55173
WWBN AVideo is an open source video platform. Versions 29.0 and below remain vulnerable to OS command injection because the fix for CVE-2026-33482 was incomplete and still does not neutralize a single & the shell background operator. CVE-2026-33482 reported that sanitizeFFmpegCommand...
CVE-2026-49279 WWBN AVideo: Stored XSS via autoEvalCodeOnHTML Bypass in MessageSQLite WebSocket Handler (CVE-2026-43874 Bypass)
WWBN AVideo is an open source video platform. Versions 29.0 and below contain a Stored XSS vulnerability through the autoEvalCodeOnHTML parameter in the MessageSQLite WebSocket Handler. The MessageSQLite.php handler only strips autoEvalCodeOnHTML from $json'msg', but msgToResourceId reads from...
CVE-2026-49279 WWBN AVideo: Stored XSS via autoEvalCodeOnHTML Bypass in MessageSQLite WebSocket Handler (CVE-2026-43874 Bypass)
WWBN AVideo is an open source video platform. Versions 29.0 and below contain a Stored XSS vulnerability through the autoEvalCodeOnHTML parameter in the MessageSQLite WebSocket Handler. The MessageSQLite.php handler only strips autoEvalCodeOnHTML from $json'msg', but msgToResourceId reads from...
CVE-2026-43878
WWBN AVideo is an open source video platform. In versions up to and including 29.0, plugin/Meet/iframe.php echoes the attacker-controlled user and pass query parameters unescaped into a JavaScript double-quoted string literal inside a...
CVE-2026-41061
WWBN AVideo is an open source video platform. In versions 29.0 and below, the isValidDuration regex at objects/video.php:918 uses /^0-91,2:0-91,2:0-91,2/ without a $ end anchor, allowing arbitrary HTML/JavaScript to be appended after a valid duration prefix. The crafted duration is stored in the...
CVE-2026-46337
WWBN AVideo is an open source video platform. In 29.0 and earlier, an unauthenticated remote attacker can read arbitrary image files anywhere on disk that the PHP user can open — including private user-profile photos that the application's normal serving wrappers gate behind ACLs, admin-uploaded...
CVE-2026-45580
WWBN AVideo is an open source video platform. In 29.0 and earlier, there is a stored cross-site scripting vulnerability. The Live plugin's "YouTube-style" view renders the live transmission's stream key into an HTML class attribute by raw echo, without htmlspecialchars. A canStream user can persi...
CVE-2026-45580
WWBN AVideo is an open source video platform. In 29.0 and earlier, there is a stored cross-site scripting vulnerability. The Live plugin's "YouTube-style" view renders the live transmission's stream key into an HTML class attribute by raw echo, without htmlspecialchars. A canStream user can persi...
CVE-2026-45610
WWBN AVideo is an open source video platform. In 29.0 and earlier, there is a cross-site request forgery vulnerability on the 2FA toggle. plugin/LoginControl/set.json.php accepts POST type=set2FA value=false, calls LoginControl::setUser2FAUser::getId, false on the session-authenticated user, and...
EUVD-2026-33308
WWBN AVideo is an open source video platform. In 29.0 and earlier, EpgParser.php, plugin/AI/receiveAsync.json.php, and other locations do not use the $resolvedIP out-param of isSSRFSafeURL for DNS pinning via CURLOPTRESOLVE, opening DNS-rebinding TOCTOU...
CVE-2026-46337 WWBN AVideo: Unauthenticated Arbitrary Image Read via Path Traversal in `view/img/image404Raw.php`
WWBN AVideo is an open source video platform. In 29.0 and earlier, an unauthenticated remote attacker can read arbitrary image files anywhere on disk that the PHP user can open — including private user-profile photos that the application's normal serving wrappers gate behind ACLs, admin-uploaded...
CVE-2026-46337 WWBN AVideo: Unauthenticated Arbitrary Image Read via Path Traversal in `view/img/image404Raw.php`
WWBN AVideo is an open source video platform. In 29.0 and earlier, an unauthenticated remote attacker can read arbitrary image files anywhere on disk that the PHP user can open — including private user-profile photos that the application's normal serving wrappers gate behind ACLs, admin-uploaded...
CVE-2026-47696 WWBN AVideo: Authenticated wallet credit bypass in AuthorizeNet processPayment endpoint
WWBN AVideo is an open source video platform. In 29.0 and earlier, plugin/AuthorizeNet/processPayment.json.php credits the logged-in user's wallet based only on the attacker-controlled amount POST parameter. The endpoint contains a TODO for real Authorize.Net charging, hardcodes $paymentSuccess =...
WWBN AVideo 安全漏洞
WWBN AVideo is a video platform building system written in PHP, developed by the WWBN team. Versions of WWBN AVideo prior to version 29 contain security vulnerabilities. These vulnerabilities allow unauthorized remote attackers to read arbitrary image files on a disk that can be accessed by PHP...
WWBN AVideo 授权问题漏洞
WWBN AVideo is a video platform building system developed by the WWBN team using PHP. Versions of WWBN AVideo prior to 29.0 contained an authorization vulnerability. This vulnerability stemmed from the absence of user login checks and administrator gatekeeping in the objects/mention.json.php file...
WWBN AVideo 操作系统命令注入漏洞
WWBN AVideo is a video platform building system developed by the WWBN team using PHP. Versions of WWBN AVideo prior to 29.0 contained an operating system command injection vulnerability. This vulnerability stemmed from the execAsync command in the YPTSocket notification branch, which constructed...