Cyber Resilience

CVE-2023-32073

HighPublic PoCRCE

Published: 12 May 2023

Published
12 May 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.2277 96.0th percentile
Risk Priority 31 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-32073 is a high-severity Command Injection (CWE-77) vulnerability in Wwbn Avideo. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 4.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

WWBN AVideo, an open source video platform, contains a command injection vulnerability in versions 12.4 and earlier at the endpoint plugin/CloneSite/cloneClient.json.php when the CloneSite plugin is enabled. The flaw permits remote code execution and serves as a bypass for the earlier patch addressing CVE-2023-30854 in versions up to 12.3. It is tracked under CWE-77 and carries a CVSS 3.1 score of 8.8.

An authenticated attacker with low privileges can send crafted requests over the network to the affected endpoint and execute arbitrary commands on the server, resulting in full compromise of confidentiality, integrity, and availability. No user interaction is required and the attack complexity is low.

The issue is resolved in commit 1df4af01f80d56ff2c4c43b89d0bac151e7fb6e3; the project’s GitHub security advisories recommend upgrading to a patched release and disabling or removing the CloneSite plugin on unpatched instances until the update can be applied.

EPSS for the CVE reached a peak of 0.2133 after disclosure, indicating a measurable increase in observed exploitation interest that warrants renewed attention for exposed AVideo deployments.

EU & UK References

Vulnerability details

WWBN AVideo is an open source video platform. In versions 12.4 and prior, a command injection vulnerability exists at `plugin/CloneSite/cloneClient.json.php` which allows Remote Code Execution if you CloneSite Plugin. This is a bypass to the fix for CVE-2023-30854, which affects…

more

WWBN AVideo up to version 12.3. This issue is patched in commit 1df4af01f80d56ff2c4c43b89d0bac151e7fb6e3.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

wwbn
avideo
≤ 12.4

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References