CRITICAL🇵🇱 Wersja polska

CVE-2023-49599

CVSS 9.8v3.1pub. 2024-01-10upd. 2025-11-04

An insufficient entropy vulnerability exists in the salt generation functionality of WWBN AVideo dev master commit 15fed957fb. A specially crafted series of HTTP requests can lead to privilege escalation. An attacker can gather system information via HTTP requests and brute force the salt offline, leading to forging a legitimate password recovery code for the admin user.

🤖 AI Analysis
How it works

The salt generation mechanism used in password recovery is characterized by insufficient entropy. An attacker can gather information about the system through a series of crafted HTTP requests, then perform an offline brute force attack on the salt. After reproducing the salt, it is possible to generate a valid password recovery code for the administrator account without user interaction or possessing any privileges.

Impact

Successful exploitation of this vulnerability enables complete takeover of the application administrator account (privilege escalation), resulting in loss of confidentiality, integrity, and system availability.

Mitigation & patch

Apply patches available from the vendor according to the references. Details available in Cisco Talos report: TALOS-2023-1900.

Who is affected

WWBN AVideo dev master commit 15fed957fb

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Wwbn Avideo

    APP
    Wwbn
    15fed957fb
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
LPE
CWE
References

Related vulnerabilities

CVE-2026-41064CRITICAL9.3PL ✓ten sam produkt

WWBN AVideo — niekompletna naprawa command injection w test.php

CVE-2026-40911CRITICAL10.0PL ✓ten sam produkt

WWBN AVideo: RCE przez eval() w pluginie YPTSocket — przejęcie kont

CVE-2026-33867CRITICAL9.1PL ✓ten sam produkt

WWBN AVideo: hasła do filmów przechowywane w bazie jako plaintext

CVE-2026-34374CRITICAL9.1PL ✓ten sam produkt

SQL Injection w WWBN AVideo — mechanizm uwierzytelniania RTMP

CVE-2026-33351CRITICAL9.1PL ✓ten sam produkt

SSRF w WWBN AVideo — brak walidacji parametru URL w saveDVR.json.php