Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
AVideo has Unauthenticated SSRF via `webSiteRootURL` Parameter in saveDVR.json.php, Chaining to Verification Bypass
Vulnerability Description
WWBN AVideo is an open source video platform. Prior to version 26.0, a Server-Side Request Forgery (SSRF) vulnerability exists in `plugin/Live/standAloneFiles/saveDVR.json.php`. When the AVideo Live plugin is deployed in standalone mode (the intended configuration for this file), the `$_REQUEST['webSiteRootURL']` parameter is used directly to construct a URL that is fetched server-side via `file_get_contents()`. No authentication, origin validation, or URL allowlisting is performed. Version 26.0 contains a patch for the issue.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Vulnerability Type
服务端请求伪造(SSRF)
Vulnerability Title
WWBN AVideo 代码问题漏洞
Vulnerability Description
WWBN AVideo是WWBN团队的一个由PHP编写的视频平台建站系统。 WWBN AVideo 26.0之前版本存在代码问题漏洞,该漏洞源于plugin/Live/standAloneFiles/saveDVR.json.php文件存在服务端请求伪造,可能导致未经验证的$_REQUEST[webSiteRootURL]参数被直接用于构造服务器端获取的URL。
CVSS Information
N/A
Vulnerability Type
N/A