Threalwinky

Name of the Vulnerable Software and Affected Versions AVideo versions 26.0 and prior Description AVideo is an open source video platform. Versions 26.0 and prior are susceptible to a Server-Side Request Forgery (SSRF) issue within the Live restream log callback flow. This flow accepts a restreamerURL controlled by an attacker and subsequently fetches this URL server-side. This enables a stored SSRF, allowing authenticated streamers to trigger requests to loopback or internal HTTP services through the restream log feature. A low-privilege user with streaming permission can store an arbitrary callback URL and initiate server-side requests to internal resources. Recommendations Update AVideo to a version later than 26.0.

Name of the Vulnerable Software and Affected Versions WWBN AVideo versions 26.0 and prior Description WWBN AVideo, an open source video platform, has an issue in the `aVideoEncoderReceiveImage.json.php` file. An authenticated uploader can fetch attacker-controlled URLs, bypassing traversal scrubbing and exposing server-local files through the GIF poster storage path. This allows reading local files, such as `/etc/passwd` or application source files, and republishing their content through a public GIF media URL. Recommendations Update to a version of WWBN AVideo later than 26.0.

Name of the Vulnerable Software and Affected Versions AVideo versions 26.0 and prior Description AVideo, an open source video platform, has a Server-Side Request Forgery (SSRF) issue in the objects/aVideoEncoder.json.php file. Attackers can control the `downloadURL` parameter, using common media or archive extensions like .mp4, .mp3, .zip, .jpg, .png, .gif, and .webm, to bypass SSRF validation. The server then retrieves the response and saves it as media content. This allows an authenticated uploader to use the upload-by-URL flow to reliably exfiltrate data via SSRF. This is due to an incomplete fix for a previously identified issue. Recommendations Update AVideo to a version later than 26.0.

**Name of the Vulnerable Software and Affected Versions** lodash versions prior to 4.18.0 **Description** The software contains a flaw related to template compilation. Specifically, insufficient validation of key names within the `options.imports` object used by the ` .template` function can allow an attacker to inject default-parameter expressions, leading to arbitrary code execution. The issue arises because validation applied to the `option` variable is not extended to the `options.imports` key names. Furthermore, the use of `assignInWith` can introduce vulnerabilities if `Object.prototype` has been compromised, potentially copying polluted keys into the imports object and ultimately executing malicious code. **Recommendations** Upgrade to version 4.18.0. Do not pass untrusted input as key names in `options.imports`. Only use developer-controlled, static key names.