CVE-2023-25313

Name of the Vulnerable Software and Affected Versions World Wide Broadcast Network AVideo versions prior to 12.4

Description The issue allows attackers to execute arbitrary code via the video link field to the Embed a video link feature. An attacker could execute remote code on a system running wwbn/avideo by appending a command to the URL as a query string, for example, ?whoami, and then clicking Save. This can be done by going to the My Videos tab, clicking "Embed a video link", and then appending the malicious query string.

Recommendations For versions prior to 12.4, update to version 12.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the "Embed a video link" feature in the My Videos tab until the update is applied. Avoid using the video link field to execute arbitrary commands until the issue is resolved.