Django REST framework

Lookup for vulnerabilities affecting packages.

Vulnerability_id VCID-jzaa-2qhr-tkhb

Summary

Improper Neutralization of Special Elements used in a Command ('Command Injection')
WWBN AVideo is an open source video platform. In versions 12.4 and prior, a command injection vulnerability exists at `plugin/CloneSite/cloneClient.json.php` which allows Remote Code Execution if you CloneSite Plugin. This is a bypass to the fix for CVE-2023-30854, which affects WWBN AVideo up to version 12.3. This issue is patched in commit 1df4af01f80d56ff2c4c43b89d0bac151e7fb6e3.

Aliases

alias	CVE-2023-32073

alias	GHSA-2mhh-27v7-3vcx

Fixed_packages

Affected_packages

url pkg:composer/wwbn/avideo@12.4.0

purl pkg:composer/wwbn/avideo@12.4.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-dys1-y27f-kybb

vulnerability	VCID-e1bu-y7rn-wka8

vulnerability	VCID-g2er-1sf3-6qad

vulnerability	VCID-jzaa-2qhr-tkhb

vulnerability	VCID-vynh-gpdq-2yde

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/wwbn/avideo@12.4.0

References

reference_url	https://github.com/WWBN/AVideo/commit/1df4af01f80d56ff2c4c43b89d0bac151e7fb6e3
reference_id
reference_type
scores
url	https://github.com/WWBN/AVideo/commit/1df4af01f80d56ff2c4c43b89d0bac151e7fb6e3

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2023-32073
reference_id	CVE-2023-32073
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2023-32073

reference_url	https://github.com/advisories/GHSA-2mhh-27v7-3vcx
reference_id	GHSA-2mhh-27v7-3vcx
reference_type
scores
url	https://github.com/advisories/GHSA-2mhh-27v7-3vcx

reference_url	https://github.com/WWBN/AVideo/security/advisories/GHSA-2mhh-27v7-3vcx
reference_id	GHSA-2mhh-27v7-3vcx
reference_type
scores
url	https://github.com/WWBN/AVideo/security/advisories/GHSA-2mhh-27v7-3vcx

Weaknesses

cwe_id	1035
name	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description	Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.

cwe_id	77
name	Improper Neutralization of Special Elements used in a Command ('Command Injection')
description	The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

cwe_id	78
name	Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
description	The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

cwe_id	937
name	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description	Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.

Exploits

Severity_range_score null

Exploitability null

Weighted_severity null

Risk_score null

Resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-jzaa-2qhr-tkhb

Vulnerability Instance