Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
AVideo Vulnerable to OS Command Injection via Unescaped URL in LinkedIn Video Upload Shell Command
Vulnerability Description
WWBN AVideo is an open source video platform. Prior to version 26.0, the `uploadVideoToLinkedIn()` method in the SocialMediaPublisher plugin constructs a shell command by directly interpolating an upload URL received from LinkedIn's API response, without sanitization via `escapeshellarg()`. If an attacker can influence the LinkedIn API response (via MITM, compromised OAuth token, or API compromise), they can inject arbitrary OS commands that execute as the web server user. Version 26.0 contains a fix for the issue.
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N
Vulnerability Type
OS命令中使用的特殊元素转义处理不恰当(OS命令注入)
Vulnerability Title
WWBN AVideo 操作系统命令注入漏洞
Vulnerability Description
WWBN AVideo是WWBN团队的一个由PHP编写的视频平台建站系统。 WWBN AVideo 26.0之前版本存在操作系统命令注入漏洞,该漏洞源于SocialMediaPublisher插件中uploadVideoToLinkedIn方法直接插值来自LinkedIn API响应的上传URL而未使用escapeshellarg清理,可能导致OS命令注入攻击。
CVSS Information
N/A
Vulnerability Type
N/A