CVE-2022-33149

Name of the Vulnerable Software and Affected Versions WWBN AVideo version 11.6 WWBN AVideo dev master commit 3f7c0364

Description A sql injection vulnerability exists in the ObjectYPT functionality, allowing an attacker to inject SQL by manipulating the url parameter. This issue is present in the CloneSite plugin. An attacker can send a specially-crafted HTTP request to trigger this vulnerability.

Recommendations For WWBN AVideo version 11.6, consider disabling the CloneSite plugin until a patch is available. For WWBN AVideo dev master commit 3f7c0364, restrict access to the ObjectYPT functionality to minimize the risk of exploitation. As a temporary workaround, avoid using the url parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.