Exploit
CVE-2023-49864

External Control of File Name or Path (CWE-73)

Published: Jan 10, 2024

010
CVSS 6.5EPSS 0.07%Medium
CVE info copied to clipboard

An information disclosure vulnerability exists in the aVideoEncoderReceiveImage.json.php image upload functionality of WWBN AVideo dev master commit 15fed957fb. A specially crafted HTTP request can lead to arbitrary file read.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Timeline

CVE Assignment

NVD published the first details for CVE-2023-49864

Jan 10, 2024 at 8:15 AM
First Article

Feedly found the first article mentioning CVE-2023-49864. See article

Jan 10, 2024 at 4:15 PM / Cisco Talos Disclosed Vulnerability Reports
Proof of Concept (PoC) Released

A proof of concept exploit has been released

Jan 16, 2024 at 4:10 PM
EPSS

EPSS Score was set to: 0.07% (Percentile: 28.6%)

Jan 17, 2024 at 3:15 PM
Static CVE Timeline Graph

Affected Systems

Wwbn/avideo
+null more

Exploits

https://talosintelligence.com/vulnerability_reports/TALOS-2023-1880
+null more

Links to Mitre Att&cks

T1562.003: Impair Command History Logging
+null more

Attack Patterns

CAPEC-13: Subverting Environment Variable Values
+null more

News

Critical vulnerability in ManageEngine could lead to file creation, dozens of other vulnerabilities disclosed by Talos to start 2024
Cisco Talos recently discovered multiple vulnerabilities in the GTKwave simulation tool, some of which could allow an attacker to execute arbitrary code on the targeted machine. Cisco ASIG also recently discovered an information disclosure vulnerability in DuoUniversalKeycloakAuthenticator, an authentication solution for Keycloak, an open-source identity and access management solution.
Critical vulnerability in ManageEngine could lead to file creation, dozens of other vulnerabilities disclosed by Talos to start 2024
Cisco Talos recently discovered multiple vulnerabilities in the GTKwave simulation tool, some of which could allow an attacker to execute arbitrary code on the targeted machine. Cisco ASIG also recently discovered an information disclosure vulnerability in DuoUniversalKeycloakAuthenticator, an authentication solution for Keycloak, an open-source identity and access management solution.
Critical vulnerability in ManageEngine could lead to file creation, dozens of other vulnerabilities disclosed by Talos to start 2024
Cisco Talos recently discovered multiple vulnerabilities in the GTKwave simulation tool, some of which could allow an attacker to execute arbitrary code on the targeted machine. Cisco ASIG also recently discovered an information disclosure vulnerability in DuoUniversalKeycloakAuthenticator, an authentication solution for Keycloak, an open-source identity and access management solution.
CVE-2023-49864 Exploit
CVE Id : CVE-2023-49864 Published Date: 2024-01-16T21:11:00+00:00 An information disclosure vulnerability exists in the aVideoEncoderReceiveImage.json.php image upload functionality of WWBN AVideo dev master commit 15fed957fb. A specially crafted HTTP request can lead to arbitrary file read.This vulnerability is triggered by the `downloadURL_image` parameter. inTheWild added a link to an exploit: https://talosintelligence.com/vulnerability_reports/TALOS-2023-1880
CVE-2023-49864 - RedPacket Security
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality. If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below To keep up to date follow us on the below channels.
See 6 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:Low
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:None
Availability Impact:None

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI