WWBN AVideo is an open source video platform. Prior to version 26.0, an unauthenticated SQL injection vulnerability exists in `objects/category.php` in the `getAllCategories()` method. The `doNotShowCats` request parameter is sanitized only by stripping single-quote characters (`str_replace("'", '', ...)`), but this is trivially bypassed using a backslash escape technique to shift SQL string boundaries. The parameter is not covered by any of the application's global input filters in `objects/security.php`. Version 26.0 contains a patch for the issue.
The `getAllCategories()` method in the `objects/category.php` file accepts a `doNotShowCats` request parameter and sanitizes it only by removing single quote characters (`str_replace("'", '', ...)`). This protection can be trivially bypassed using backslash escape technique, which shifts the string boundaries in the SQL query, enabling injection of arbitrary SQL code. This parameter is not covered by any global input filter defined in `objects/security.php`, further facilitating exploitation.
An unprivileged remote attacker can read, modify, or delete data from the application database, resulting in complete compromise of data confidentiality, integrity, and availability.
WWBN AVideo should be updated to version 26.0, which contains the official patch for this vulnerability. Patch details are available in the GitHub repository at the address specified in the references.
WWBN AVideo in versions prior to 26.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HWwbn Avideo
APPWwbn< 26.0
Related vulnerabilities
WWBN AVideo — niekompletna naprawa command injection w test.php
WWBN AVideo: RCE przez eval() w pluginie YPTSocket — przejęcie kont
WWBN AVideo: hasła do filmów przechowywane w bazie jako plaintext
SQL Injection w WWBN AVideo — mechanizm uwierzytelniania RTMP
SSRF w WWBN AVideo — brak walidacji parametru URL w saveDVR.json.php