WWBN AVideo SQL Injection Vulnerability in Category Management

A SQL injection vulnerability has been identified in WWBN AVideo versions prior to 26.0. The issue arises in the `fixCleanTitle()` static method within `objects/category.php`, where SQL queries are constructed by directly inserting user-supplied values without proper sanitization or use of prepared statements. This flaw allows an attacker to inject arbitrary SQL, potentially leading to unauthorized data access. The vulnerability can be exploited by an authenticated admin during category creation or renaming by including crafted title values that manipulate the SQL query execution.

Impact

Exploitation of this vulnerability allows for arbitrary SQL injection, with the potential to read any database table. In the context of this application, it could lead to exfiltration of user credentials, private video metadata, and personally identifiable information.

Reproduction

To reproduce this vulnerability, an authenticated admin can create or rename a category with a title that includes SQL injection payloads, such as a crafted string that exploits the SQL query construction in the `fixCleanTitle()` method. After the title is processed and the SQL injection payload is executed, the injected SQL can manipulate the query's behavior, such as extracting data from the database.

Remediation

Users can update to AVideo version 26.0 or later, where this vulnerability has been patched.