CVE-2023-30842

Name of the Vulnerable Software and Affected Versions AVideo versions prior to 12.4

Description The issue allows for remote code execution when an attacker embeds a malicious video link. An attacker could execute remote code on a system running AVideo. The exploitation involves appending a command to the URL as a query string, for example, ?whoami, in the "Embed a video link" feature in the My Videos tab, accessible via the endpoint https://demo.avideo.com/mvideos. This issue has been resolved in a specific commit.

Recommendations For versions prior to 12.4, update to version 12.4 to resolve the issue. As a temporary workaround, consider restricting access to the "Embed a video link" feature in the My Videos tab until the update is applied. Avoid using the "Embed a video link" feature with untrusted video links until the issue is resolved.