This is a summary of the AI-generated 10-question deep analysis. The full version (longer answers, follow-up Q&A, related CVEs) requires login. Read the full analysis β
Q1What is this vulnerability? (Essence + Consequences)
π¨ **Essence**: SQL Injection in WWBN AVideo. π₯ **Consequences**: Attackers can manipulate database queries via the `catName` parameter in `objects/videos.json.php` and `objects/video.php`.β¦
π‘οΈ **Root Cause**: **CWE-89** (SQL Injection). π **Flaw**: Improper sanitization/cleaning of the `catName` input parameter. The system fails to validate or escape user-supplied data before embedding it in SQL commands.
Q3Who is affected? (Versions/Components)
π₯ **Affected**: **WWBN AVideo** (PHP-based video platform). π **Versions**: All versions **prior to 24.0**. π¦ **Components**: Specifically `objects/videos.json.php` and `objects/video.php`.
Q4What can hackers do? (Privileges/Data)
π **Capabilities**: Full SQL injection potential. π **Impact**: High Confidentiality, Integrity, and Availability loss (CVSS H).β¦
π§ͺ **Exploit Status**: No specific PoC provided in the data. π **Wild Exploitation**: Unknown. However, given the low complexity and lack of auth, public exploits are likely emerging or easily crafted by attackers.
Q7How to self-check? (Features/Scanning)
π **Self-Check**: Scan for WWBN AVideo instances. π― **Target**: Check endpoints `/objects/videos.json.php` and `/objects/video.php`. π **Test**: Inject SQL payloads into the `catName` parameter.β¦
β **Fixed**: **YES**. π¦ **Patch**: Version **24.0** and later. π **Reference**: GitHub Advisory GHSA-pv87-r9qf-x56p and Commit 0c10be6. Upgrade immediately to resolve the issue.
Q9What if no patch? (Workaround)
π§ **No Patch?**: If stuck on old versions, implement **WAF rules** to block SQL injection patterns in the `catName` parameter.β¦
π₯ **Urgency**: **CRITICAL**. π¨ **Priority**: **P1**. With CVSS High severity, no auth required, and low complexity, this is a high-risk vulnerability. Immediate patching to v24.0+ is strongly recommended.