PT-2024-13827 · Wwbn · Avideo

Claudio Bozzato

Published

2024-01-10

Updated

2024-01-18

CVE-2023-49863

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions WWBN AVideo dev master commit 15fed957fb

Description An information disclosure issue exists in the aVideoEncoderReceiveImage.json.php image upload functionality. A specially crafted HTTP request can lead to arbitrary file read. This issue is triggered by the downloadURL webpimage parameter.

Recommendations For WWBN AVideo dev master commit 15fed957fb, as a temporary workaround, consider restricting access to the downloadURL webpimage parameter in the aVideoEncoderReceiveImage.json.php image upload functionality until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-610CWE-73

Related Identifiers

CVE-2023-49863

Affected Products

Avideo

PT-2024-13827 · Wwbn · Avideo

CVE-2023-49863

Weakness Enumeration

Related Identifiers

Affected Products

References · 5