The import.json.php file before 8.9 for Avideo is vulnerable to a File Deletion vulnerability. This allows the deletion of configuration.php, which leads to certain privilege checks not being in place, and therefore a user can escalate privileges to admin.
References
Link | Resource |
---|---|
https://cube01.io/blog/Avideo-Remote-Code-Execution.html | Third Party Advisory |
https://github.com/WWBN/AVideo/commit/ecc5f40470bbafff231133f58db1df70f47bfb33 | Patch Third Party Advisory |
https://cube01.io/blog/Avideo-Remote-Code-Execution.html | Third Party Advisory |
https://github.com/WWBN/AVideo/commit/ecc5f40470bbafff231133f58db1df70f47bfb33 | Patch Third Party Advisory |
Configurations
History
21 Nov 2024, 05:13
Type | Values Removed | Values Added |
---|---|---|
References | () https://cube01.io/blog/Avideo-Remote-Code-Execution.html - Third Party Advisory | |
References | () https://github.com/WWBN/AVideo/commit/ecc5f40470bbafff231133f58db1df70f47bfb33 - Patch, Third Party Advisory |
Information
Published : 2020-11-16 18:15
Updated : 2024-11-21 05:13
NVD link : CVE-2020-23489
Mitre link : CVE-2020-23489
CVE.ORG link : CVE-2020-23489
JSON object : View
Products Affected
wwbn
- avideo
CWE
CWE-862
Missing Authorization