📦 Avideo

AVideo versions before 20.1 with the ImageGallery plugin enabled are vulnerable to unauthenticated file upload and deletion. Attackers can upload malicious files or delete images from any image-based ...

A stored cross-site scripting vulnerability in WWBN AVideo allows attackers to inject malicious JavaScript via the videoNotFound 404ErrorMsg parameter. When users visit a specially crafted webpage, ar...

A cross-site scripting vulnerability in WWBN AVideo's userLogin cancelUri parameter allows attackers to execute arbitrary JavaScript when users visit malicious webpages. This affects WWBN AVideo 14.4 ...

This vulnerability allows attackers to forge password recovery codes for admin users in WWBN AVideo by exploiting weak salt generation. Attackers can brute-force the salt offline after gathering syste...

A cross-site scripting vulnerability in WWBN AVideo's channelBody.php allows attackers to inject malicious JavaScript via user name input. When exploited, this enables arbitrary script execution in vi...

This is a stored cross-site scripting (XSS) vulnerability in WWBN AVideo's getOpenGraph videoName functionality that allows attackers to inject malicious JavaScript. When exploited, it enables arbitra...

AVideo Platform 8.1 contains an information disclosure vulnerability that allows attackers to enumerate user details through the playlistsFromUser.json.php endpoint. By manipulating the users_id param...

AVideo versions before 20.1 contain an insecure direct object reference vulnerability that allows any authenticated user to upload files into other users' directories. This occurs because the upload f...

This vulnerability allows any authenticated user to upload comment images to videos owned by other users in AVideo. Attackers can perform unauthorized uploads to arbitrary video objects due to missing...

AVideo versions before 20.1 contain an insecure direct object reference vulnerability that allows authenticated users with upload permissions to modify rotation metadata of any video in the system, re...

AVideo versions before 20.1 expose sensitive user information through an unauthenticated public API endpoint. This allows attackers to enumerate users, obtain emails, usernames, administrative status,...

AVideo versions before 20.1 expose absolute server filesystem paths through public API endpoints. This information disclosure vulnerability reveals internal directory structures, which attackers can l...

An incomplete blacklist in WWBN AVideo's .htaccess sample allows attackers to execute arbitrary code by requesting specially crafted .phar files. This affects WWBN AVideo 14.4 and development versions...

A race condition vulnerability in WWBN AVideo's aVideoEncoder.json.php unzip functionality allows attackers to execute arbitrary code through specially crafted HTTP requests. This affects AVideo 14.4 ...

This vulnerability allows attackers to reset arbitrary user passwords in WWBN AVideo by exploiting insufficient entropy in password recovery token generation. Attackers can send crafted HTTP requests ...

This vulnerability allows attackers to read arbitrary files on WWBN AVideo servers by exploiting improper input validation in the image404Raw.php script. It affects WWBN AVideo installations running d...

This is a stored cross-site scripting (XSS) vulnerability in WWBN AVideo's meeting scheduling feature. Attackers can inject malicious scripts into meeting rooms that execute when viewed by other users...

CVE-2020-37158 is a CSRF vulnerability in AVideo Platform 8.1 that allows attackers to reset user passwords without authentication by exploiting the password recovery mechanism. Attackers can craft ma...

AVideo versions before 20.1 contain an open redirect vulnerability in the login functionality. Attackers can craft malicious links that redirect users to arbitrary external websites after login, enabl...

AVideo versions before 20.1 contain an open redirect vulnerability in the user registration process. Attackers can manipulate the siteRedirectUri parameter to redirect users to malicious external webs...

AVideo versions before 20.1 contain an insecure direct object reference (IDOR) vulnerability that allows any authenticated user to delete media files belonging to other users. The vulnerability occurs...