Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
AVideo-Encoder is Vulnerable to Authenticated SQL Injection via ORDER BY Clause
Vulnerability Description
AVideo is a video-sharing Platform. Versions prior to 8.0 contain a SQL Injection vulnerability in the getSqlFromPost() method of Object.php. The $_POST['sort'] array keys are used directly as SQL column identifiers inside an ORDER BY clause. Although real_escape_string() was applied, it only escapes string-context characters (quotes, null bytes) and provides no protection for SQL identifiers — making it entirely ineffective here. This issue has been fixed in version 8.0. To workaround this issue without upgrading, operators can apply a WAF rule to block POST requests where any sort[*] key contains characters outside [A-Za-z0-9_]. Alternatively, restrict access to the queue view (queue.json.php, index.php) to trusted IP ranges only.
CVSS Information
N/A
Vulnerability Type
SQL命令中使用的特殊元素转义处理不恰当(SQL注入)
Vulnerability Title
AVideo SQL注入漏洞
Vulnerability Description
AVideo是World Wide Broadcast Network开源的一个广播网络创建工具。 AVideo 8.0之前版本存在SQL注入漏洞,该漏洞源于_POST sort数组键值直接用作SQL列标识符,可能导致SQL注入攻击。
CVSS Information
N/A
Vulnerability Type
N/A