WWBN AVideo vulnerable to RCE caused by clonesite plugin

WWBN AVideo is an open source video platform. In versions 29.0 and below, the `cloneServer.json.php` endpoint in the CloneSite plugin constructs shell commands using user-controlled input (`url` parameter) without proper sanitization. The input is directly concatenated into a `wget` command executed via `exec()`, allowing command injection. An attacker can inject arbitrary shell commands by breaking out of the intended URL context using shell metacharacters (e.g., `;`). This leads to Remote Code Execution (RCE) on the server. Commit 473c609fc2defdea8b937b00e86ce88eba1f15bb contains a fix.

N/A

在命令中使用的特殊元素转义处理不恰当(命令注入)

WWBN AVideo 命令注入漏洞

WWBN AVideo是WWBN团队的一个由PHP编写的视频平台建站系统。 WWBN AVideo 29.0及之前版本存在命令注入漏洞，该漏洞源于CloneSite插件中cloneServer.json.php端点使用用户控制的url参数构造shell命令时清理不当，可能导致远程代码执行。

N/A

N/A