Avideo
by WWBN
Source repositories
CVEs (208)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-34436 | 0.00 | — | 0.00 | Dec 17, 2025 | AVideo versions prior to 20.1 allow any authenticated user to upload files into directories belonging to other users due to an insecure direct object reference. The upload functionality verifies authentication but does not enforce ownership checks. | |||
| CVE-2025-34434 | 0.00 | — | 0.00 | Dec 17, 2025 | AVideo versions prior to 20.1 with the ImageGallery plugin enabled is vulnerable to unauthenticated file upload and deletion. Plugin endpoints responsible for managing gallery images fail to enforce authentication checks and do not validate ownership, allowing unauthenticated… | |||
| CVE-2025-34439 | 0.00 | — | 0.00 | Dec 17, 2025 | AVideo versions prior to 20.1 are vulnerable to an open redirect flaw due to missing validation of the cancelUri parameter during user login. An attacker can craft a link to redirect users to arbitrary external sites, enabling phishing attacks. | |||
| CVE-2025-34440 | 0.00 | — | 0.00 | Dec 17, 2025 | AVideo versions prior to 20.1 contain an open redirect vulnerability caused by insufficient validation of the siteRedirectUri parameter during user registration. Attackers can redirect users to external sites, facilitating phishing attacks. | |||
| CVE-2025-46410 | 0.00 | — | 0.01 | Jul 24, 2025 | A cross-site scripting (xss) vulnerability exists in the managerPlaylists PlaylistOwnerUsersId parameter functionality of WWBN AVideo 14.4 and dev master commit 8a8954ff. A specially crafted HTTP request can lead to arbitrary Javascript execution. An attacker can get a user to… | |||
| CVE-2025-53084 | 0.00 | — | 0.01 | Jul 24, 2025 | A cross-site scripting (xss) vulnerability exists in the videosList page parameter functionality of WWBN AVideo 14.4 and dev master commit 8a8954ff. A specially crafted HTTP request can lead to arbitrary Javascript execution. An attacker can get a user to visit a webpage to… | |||
| CVE-2025-50128 | 0.00 | — | 0.01 | Jul 24, 2025 | A cross-site scripting (xss) vulnerability exists in the videoNotFound 404ErrorMsg parameter functionality of WWBN AVideo 14.4 and dev master commit 8a8954ff. A specially crafted HTTP request can lead to arbitrary Javascript execution. An attacker can get a user to visit a… | |||
| CVE-2025-36548 | 0.00 | — | 0.01 | Jul 24, 2025 | A cross-site scripting (xss) vulnerability exists in the LoginWordPress loginForm cancelUri parameter functionality of WWBN AVideo 14.4 and dev master commit 8a8954ff. A specially crafted HTTP request can lead to arbitrary Javascript execution. An attacker can get a user to… | |||
| CVE-2025-41420 | 0.00 | — | 0.01 | Jul 24, 2025 | A cross-site scripting (xss) vulnerability exists in the userLogin cancelUri parameter functionality of WWBN AVideo 14.4 and dev master commit 8a8954ff. A specially crafted HTTP request can lead to arbitrary Javascript execution. An attacker can get a user to visit a webpage to… | |||
| CVE-2025-25214 | 0.00 | — | 0.01 | Jul 24, 2025 | A race condition vulnerability exists in the aVideoEncoder.json.php unzip functionality of WWBN AVideo 14.4 and dev master commit 8a8954ff. A series of specially crafted HTTP request can lead to arbitrary code execution. | |||
| CVE-2025-48732 | 0.00 | — | 0.01 | Jul 24, 2025 | An incomplete blacklist exists in the .htaccess sample of WWBN AVideo 14.4 and dev master commit 8a8954ff. A specially crafted HTTP request can lead to a arbitrary code execution. An attacker can request a .phar file to trigger this vulnerability. | |||
| CVE-2024-34899 | 0.00 | — | 0.00 | May 13, 2024 | WWBN AVideo 12.4 is vulnerable to Cross Site Scripting (XSS). | |||
| CVE-2024-31819 | 0.00 | — | 0.16 | Apr 10, 2024 | An issue in WWBN AVideo v.12.4 through v.14.2 allows a remote attacker to execute arbitrary code via the systemRootPath parameter of the submitIndex.php component. | |||
| CVE-2023-47171 | 0.00 | — | 0.01 | Jan 10, 2024 | An information disclosure vulnerability exists in the aVideoEncoder.json.php chunkFile path functionality of WWBN AVideo 11.6 and dev master commit 15fed957fb. A specially crafted HTTP request can lead to arbitrary file read. | |||
| CVE-2023-49864 | 0.00 | — | 0.01 | Jan 10, 2024 | An information disclosure vulnerability exists in the aVideoEncoderReceiveImage.json.php image upload functionality of WWBN AVideo dev master commit 15fed957fb. A specially crafted HTTP request can lead to arbitrary file read.This vulnerability is triggered by the… | |||
| CVE-2023-49863 | 0.00 | — | 0.01 | Jan 10, 2024 | An information disclosure vulnerability exists in the aVideoEncoderReceiveImage.json.php image upload functionality of WWBN AVideo dev master commit 15fed957fb. A specially crafted HTTP request can lead to arbitrary file read.This vulnerability is triggered by the… | |||
| CVE-2023-49862 | 0.00 | — | 0.01 | Jan 10, 2024 | An information disclosure vulnerability exists in the aVideoEncoderReceiveImage.json.php image upload functionality of WWBN AVideo dev master commit 15fed957fb. A specially crafted HTTP request can lead to arbitrary file read.This vulnerability is triggered by the… | |||
| CVE-2023-49738 | 0.00 | — | 0.01 | Jan 10, 2024 | An information disclosure vulnerability exists in the image404Raw.php functionality of WWBN AVideo dev master commit 15fed957fb. A specially crafted HTTP request can lead to arbitrary file read. | |||
| CVE-2023-48730 | 0.00 | — | 0.01 | Jan 10, 2024 | A cross-site scripting (xss) vulnerability exists in the navbarMenuAndLogo.php user name functionality of WWBN AVideo dev master commit 15fed957fb. A specially crafted HTTP request can lead to arbitrary Javascript execution. An attacker can get a user to visit a webpage to… | |||
| CVE-2023-47861 | 0.00 | — | 0.01 | Jan 10, 2024 | A cross-site scripting (xss) vulnerability exists in the channelBody.php user name functionality of WWBN AVideo 11.6 and dev master commit 15fed957fb. A specially crafted HTTP request can lead to arbitrary Javascript execution. An attacker can get a user to visit a webpage to… |
- CVE-2025-34436Dec 17, 2025risk 0.00cvss —epss 0.00
AVideo versions prior to 20.1 allow any authenticated user to upload files into directories belonging to other users due to an insecure direct object reference. The upload functionality verifies authentication but does not enforce ownership checks.
- CVE-2025-34434Dec 17, 2025risk 0.00cvss —epss 0.00
AVideo versions prior to 20.1 with the ImageGallery plugin enabled is vulnerable to unauthenticated file upload and deletion. Plugin endpoints responsible for managing gallery images fail to enforce authentication checks and do not validate ownership, allowing unauthenticated…
- CVE-2025-34439Dec 17, 2025risk 0.00cvss —epss 0.00
AVideo versions prior to 20.1 are vulnerable to an open redirect flaw due to missing validation of the cancelUri parameter during user login. An attacker can craft a link to redirect users to arbitrary external sites, enabling phishing attacks.
- CVE-2025-34440Dec 17, 2025risk 0.00cvss —epss 0.00
AVideo versions prior to 20.1 contain an open redirect vulnerability caused by insufficient validation of the siteRedirectUri parameter during user registration. Attackers can redirect users to external sites, facilitating phishing attacks.
- CVE-2025-46410Jul 24, 2025risk 0.00cvss —epss 0.01
A cross-site scripting (xss) vulnerability exists in the managerPlaylists PlaylistOwnerUsersId parameter functionality of WWBN AVideo 14.4 and dev master commit 8a8954ff. A specially crafted HTTP request can lead to arbitrary Javascript execution. An attacker can get a user to…
- CVE-2025-53084Jul 24, 2025risk 0.00cvss —epss 0.01
A cross-site scripting (xss) vulnerability exists in the videosList page parameter functionality of WWBN AVideo 14.4 and dev master commit 8a8954ff. A specially crafted HTTP request can lead to arbitrary Javascript execution. An attacker can get a user to visit a webpage to…
- CVE-2025-50128Jul 24, 2025risk 0.00cvss —epss 0.01
A cross-site scripting (xss) vulnerability exists in the videoNotFound 404ErrorMsg parameter functionality of WWBN AVideo 14.4 and dev master commit 8a8954ff. A specially crafted HTTP request can lead to arbitrary Javascript execution. An attacker can get a user to visit a…
- CVE-2025-36548Jul 24, 2025risk 0.00cvss —epss 0.01
A cross-site scripting (xss) vulnerability exists in the LoginWordPress loginForm cancelUri parameter functionality of WWBN AVideo 14.4 and dev master commit 8a8954ff. A specially crafted HTTP request can lead to arbitrary Javascript execution. An attacker can get a user to…
- CVE-2025-41420Jul 24, 2025risk 0.00cvss —epss 0.01
A cross-site scripting (xss) vulnerability exists in the userLogin cancelUri parameter functionality of WWBN AVideo 14.4 and dev master commit 8a8954ff. A specially crafted HTTP request can lead to arbitrary Javascript execution. An attacker can get a user to visit a webpage to…
- CVE-2025-25214Jul 24, 2025risk 0.00cvss —epss 0.01
A race condition vulnerability exists in the aVideoEncoder.json.php unzip functionality of WWBN AVideo 14.4 and dev master commit 8a8954ff. A series of specially crafted HTTP request can lead to arbitrary code execution.
- CVE-2025-48732Jul 24, 2025risk 0.00cvss —epss 0.01
An incomplete blacklist exists in the .htaccess sample of WWBN AVideo 14.4 and dev master commit 8a8954ff. A specially crafted HTTP request can lead to a arbitrary code execution. An attacker can request a .phar file to trigger this vulnerability.
- CVE-2024-34899May 13, 2024risk 0.00cvss —epss 0.00
WWBN AVideo 12.4 is vulnerable to Cross Site Scripting (XSS).
- CVE-2024-31819Apr 10, 2024risk 0.00cvss —epss 0.16
An issue in WWBN AVideo v.12.4 through v.14.2 allows a remote attacker to execute arbitrary code via the systemRootPath parameter of the submitIndex.php component.
- CVE-2023-47171Jan 10, 2024risk 0.00cvss —epss 0.01
An information disclosure vulnerability exists in the aVideoEncoder.json.php chunkFile path functionality of WWBN AVideo 11.6 and dev master commit 15fed957fb. A specially crafted HTTP request can lead to arbitrary file read.
- CVE-2023-49864Jan 10, 2024risk 0.00cvss —epss 0.01
An information disclosure vulnerability exists in the aVideoEncoderReceiveImage.json.php image upload functionality of WWBN AVideo dev master commit 15fed957fb. A specially crafted HTTP request can lead to arbitrary file read.This vulnerability is triggered by the…
- CVE-2023-49863Jan 10, 2024risk 0.00cvss —epss 0.01
An information disclosure vulnerability exists in the aVideoEncoderReceiveImage.json.php image upload functionality of WWBN AVideo dev master commit 15fed957fb. A specially crafted HTTP request can lead to arbitrary file read.This vulnerability is triggered by the…
- CVE-2023-49862Jan 10, 2024risk 0.00cvss —epss 0.01
An information disclosure vulnerability exists in the aVideoEncoderReceiveImage.json.php image upload functionality of WWBN AVideo dev master commit 15fed957fb. A specially crafted HTTP request can lead to arbitrary file read.This vulnerability is triggered by the…
- CVE-2023-49738Jan 10, 2024risk 0.00cvss —epss 0.01
An information disclosure vulnerability exists in the image404Raw.php functionality of WWBN AVideo dev master commit 15fed957fb. A specially crafted HTTP request can lead to arbitrary file read.
- CVE-2023-48730Jan 10, 2024risk 0.00cvss —epss 0.01
A cross-site scripting (xss) vulnerability exists in the navbarMenuAndLogo.php user name functionality of WWBN AVideo dev master commit 15fed957fb. A specially crafted HTTP request can lead to arbitrary Javascript execution. An attacker can get a user to visit a webpage to…
- CVE-2023-47861Jan 10, 2024risk 0.00cvss —epss 0.01
A cross-site scripting (xss) vulnerability exists in the channelBody.php user name functionality of WWBN AVideo 11.6 and dev master commit 15fed957fb. A specially crafted HTTP request can lead to arbitrary Javascript execution. An attacker can get a user to visit a webpage to…
Page 9 of 11