PT-2025-30679 · Wwbn · Avideo
Claudio Bozzato
·
Published
2025-07-24
·
Updated
2025-07-29
·
CVE-2025-48732
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
WWBN AVideo version 14.4
WWBN AVideo dev master commit 8a8954ff
Description
An incomplete blacklist in the
.htaccess sample allows for arbitrary code execution via a specially crafted HTTP request. An attacker can request a .phar file to trigger this issue.Recommendations
Update WWBN AVideo to a version with a complete blacklist in the
.htaccess sample.
Avoid allowing requests for .phar files.Exploit
Fix
Incomplete List of Disallowed Inputs
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Avideo