PT-2024-13828 · Wwbn · Avideo

Claudio Bozzato

Published

2024-01-10

Updated

2024-01-16

CVE-2023-49864

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions WWBN AVideo dev master commit 15fed957fb

Description An information disclosure issue exists in the aVideoEncoderReceiveImage.json.php image upload functionality. A specially crafted HTTP request can lead to arbitrary file read. This issue is triggered by the downloadURL image parameter.

Recommendations As a temporary workaround, consider restricting access to the aVideoEncoderReceiveImage.json.php functionality until a patch is available. Avoid using the downloadURL image parameter in the affected image upload functionality to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-610CWE-73

Related Identifiers

CVE-2023-49864

Affected Products

Avideo

PT-2024-13828 · Wwbn · Avideo

CVE-2023-49864

Weakness Enumeration

Related Identifiers

Affected Products

References · 5