Avideo
Monthly
WWBN AVideo is an open source video platform. versions up to 25.0 is affected by missing authentication for critical function.
Memcached session storage exposure in AVideo prior to version 24.0 allows unauthenticated remote attackers to read, modify, or delete user sessions by accessing the publicly exposed memcached service on port 11211. An attacker with network access to this port can hijack admin accounts, impersonate users, or destroy all active sessions without any authentication. This affects the official Docker deployment configuration for PHP, Docker, and AVideo products.
Unauthenticated administrators in WWBN AVideo versions before 24.0 can achieve remote code execution by uploading malicious ZIP files through the plugin upload functionality, which extracts files without proper validation into web-accessible directories. This allows attackers to execute arbitrary PHP code on the server with high impact to confidentiality, integrity, and availability. No patch is currently available for affected PHP installations using vulnerable AVideo versions.
Unauthenticated SQL injection in AVideo before 24.0.
Server-side request forgery in AVideo prior to version 22.0 allows authenticated users to make arbitrary outbound requests from the affected server via an unvalidated downloadURL parameter in the aVideoEncoder.json.php endpoint. An attacker can exploit this to probe internal network services, access metadata endpoints, and retrieve sensitive data, potentially leading to further system compromise. This affects PHP deployments running vulnerable AVideo versions.
Avideo versions prior to 21.0 allow authenticated attackers to inject malicious JavaScript through improperly sanitized Markdown links in video comments, enabling session hijacking, privilege escalation, and data theft when victims click the links. The vulnerability stems from unsafe Parsedown configuration that fails to block javascript: URI schemes. A patch is available in version 21.0.
Avideo versions up to 8.1 contains a vulnerability that allows attackers to enumerate user details through the playlistsFromUser (CVSS 7.5).
Avideo versions up to 8.1 is affected by weak password recovery mechanism for forgotten password (CVSS 5.3).
AVideo Platform 8.1 contains a cross-site request forgery vulnerability that allows attackers to reset user passwords by exploiting the password recovery mechanism. [CVSS 5.3 MEDIUM]
WWBN AVideo is an open source video platform. versions up to 25.0 is affected by missing authentication for critical function.
Memcached session storage exposure in AVideo prior to version 24.0 allows unauthenticated remote attackers to read, modify, or delete user sessions by accessing the publicly exposed memcached service on port 11211. An attacker with network access to this port can hijack admin accounts, impersonate users, or destroy all active sessions without any authentication. This affects the official Docker deployment configuration for PHP, Docker, and AVideo products.
Unauthenticated administrators in WWBN AVideo versions before 24.0 can achieve remote code execution by uploading malicious ZIP files through the plugin upload functionality, which extracts files without proper validation into web-accessible directories. This allows attackers to execute arbitrary PHP code on the server with high impact to confidentiality, integrity, and availability. No patch is currently available for affected PHP installations using vulnerable AVideo versions.
Unauthenticated SQL injection in AVideo before 24.0.
Server-side request forgery in AVideo prior to version 22.0 allows authenticated users to make arbitrary outbound requests from the affected server via an unvalidated downloadURL parameter in the aVideoEncoder.json.php endpoint. An attacker can exploit this to probe internal network services, access metadata endpoints, and retrieve sensitive data, potentially leading to further system compromise. This affects PHP deployments running vulnerable AVideo versions.
Avideo versions prior to 21.0 allow authenticated attackers to inject malicious JavaScript through improperly sanitized Markdown links in video comments, enabling session hijacking, privilege escalation, and data theft when victims click the links. The vulnerability stems from unsafe Parsedown configuration that fails to block javascript: URI schemes. A patch is available in version 21.0.
Avideo versions up to 8.1 contains a vulnerability that allows attackers to enumerate user details through the playlistsFromUser (CVSS 7.5).
Avideo versions up to 8.1 is affected by weak password recovery mechanism for forgotten password (CVSS 5.3).
AVideo Platform 8.1 contains a cross-site request forgery vulnerability that allows attackers to reset user passwords by exploiting the password recovery mechanism. [CVSS 5.3 MEDIUM]