Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
AVideo has Authenticated Server-Side Request Forgery via downloadURL in aVideoEncoder.json.php
Vulnerability Description
WWBN AVideo is an open source video platform. Prior to version 22.0, the `aVideoEncoder.json.php` API endpoint accepts a `downloadURL` parameter and fetches the referenced resource server-side without proper validation or an allow-list. This allows authenticated users to trigger server-side requests to arbitrary URLs (including internal network endpoints). An authenticated attacker can leverage SSRF to interact with internal services and retrieve sensitive data (e.g., internal APIs, metadata services), potentially leading to further compromise depending on the deployment environment. This issue has been fixed in AVideo version 22.0.
CVSS Information
N/A
Vulnerability Type
服务端请求伪造(SSRF)
Vulnerability Title
WWBN AVideo 代码问题漏洞
Vulnerability Description
WWBN AVideo是WWBN团队的一个由PHP编写的视频平台建站系统。 WWBN AVideo 22.0之前版本存在代码问题漏洞,该漏洞源于aVideoEncoder.json.php API端点接受downloadURL参数并在服务器端获取引用的资源,但缺乏适当的验证或允许列表,可能导致经过身份验证的用户触发对任意URL的服务器端请求,从而引发服务端请求伪造,可能泄露内部服务敏感数据。
CVSS Information
N/A
Vulnerability Type
N/A