Headline
GHSA-wj6r-53f5-q789: Duplicate Advisory: AVideo contains Command injection when embedding a video link
Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-pgvh-p3g4-86jw. This link is maintained to preserve external references.
Original Description
Impact:
An attacker could execute remote code on a system running wwbn/avideo
Step to Reproduce:
- Go to the
My Videostab
https://demo.avideo.com/mvideos
- Click “Embed a video link”
Append a command to the url as a query string. eg. ?whoami
then click Save
This issue has been resolved in commit 236228f15
Package
composer wwbn/avideo (Composer)
Affected versions
< 12.4
Patched versions
12.4
Description
Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-pgvh-p3g4-86jw. This link is maintained to preserve external references.
Original Description
Impact:
An attacker could execute remote code on a system running wwbn/avideo
Step to Reproduce:
- Go to the My Videos tab
https://demo.avideo.com/mvideos
- Click “Embed a video link”
Append a command to the url as a query string. eg. ?whoami
then click Save
This issue has been resolved in commit 236228f15
References
- GHSA-pgvh-p3g4-86jw
- https://nvd.nist.gov/vuln/detail/CVE-2023-25313
Published to the GitHub Advisory Database
Apr 25, 2023
Reviewed
Apr 27, 2023
Withdrawn
Apr 27, 2023
Last updated
Apr 27, 2023