CVE-2023-25313

CRITICAL9.6EPSS 9.4%

AVideo contains Command injection when embedding a video link

Published: 2/2/2023Modified: 3/13/2026

Description

Impact: An attacker could execute remote code on a system running wwbn/avideo Step to Reproduce: 1. Go to the `My Videos` tab https://demo.avideo.com/mvideos 2. Click "Embed a video link" Append a command to the url as a query string. eg. `?whoami` then click Save This issue has been resolved in commit `236228f15`

Affected packages (1)

Packagist/wwbn/avideofrom 0, < 12.4

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-30842
PATCHhttps://github.com/WWBN/AVideo
WEBhttps://github.com/WWBN/AVideo/commit/236228f15a9a31be5a0e60f05dac043682e49a5e
WEBhttps://github.com/WWBN/AVideo/security/advisories/GHSA-pgvh-p3g4-86jw