DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-V8JW-8W5P-23G3: GHSA-V8JW-8W5P-23G3: Authenticated Remote Code Execution in AVideo Plugin Import

#security #cve #cybersecurity #ghsa

GHSA-V8JW-8W5P-23G3: Authenticated Remote Code Execution in AVideo Plugin Import

Vulnerability ID: GHSA-V8JW-8W5P-23G3
CVSS Score: 7.2
Published: 2026-03-02

A critical remote code execution (RCE) vulnerability exists in AVideo (formerly YouPHPTube) within the plugin import functionality. The flaw stems from the insecure use of OS-level commands to extract uploaded ZIP archives without validating their contents. An authenticated administrator can exploit this to upload and execute arbitrary PHP code on the server, leading to full system compromise. The vulnerability involves multiple weakness classes, including OS Command Injection (CWE-78) and Unrestricted File Upload (CWE-434).

TL;DR

Authenticated administrators can achieve Remote Code Execution (RCE) on AVideo instances by uploading a malicious ZIP file. The application insecurely extracts the archive using the system 'unzip' command, allowing attackers to write PHP shells to the webroot. Fixed in commit b739aeeb.

⚠️ Exploit Status: POC

Technical Details

  • Vulnerability Type: Remote Code Execution (RCE)
  • Attack Vector: Network (Authenticated)
  • CWE IDs: CWE-78, CWE-434, CWE-22
  • CVSS Score: 7.2 (High)
  • Affected Component: objects/pluginImport.json.php
  • Root Cause: Unsafe extraction of ZIP archives via exec()

Affected Systems

  • AVideo (formerly YouPHPTube)
  • AVideo: < commit b739aeeb9ce34aed9961d2c155d597810f8229db (Fixed in: Commit b739aeeb9ce34aed9961d2c155d597810f8229db)

Code Analysis

Commit: b739aee

Fix for plugin import vulnerability: replaced exec with ZipArchive and added validation

Exploit Details

  • GitHub Advisory: Advisory describing the authenticated RCE vector via plugin import.

Mitigation Strategies

  • Update AVideo to the latest version immediately.
  • Disable 'exec' and 'system' functions in php.ini.
  • Restrict file execution in the 'plugin/' directory.

Remediation Steps:

  1. Access the AVideo server terminal.
  2. Navigate to the installation directory.
  3. Run 'git pull' to fetch the latest code including commit b739aeeb9ce34aed9961d2c155d597810f8229db.
  4. Verify that 'objects/pluginImport.json.php' no longer contains 'exec("unzip ..."'.

References

Read the full report for GHSA-V8JW-8W5P-23G3 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)