Impact
WWBN AVideo contains an unauthenticated SQL injection flaw in the objects\/videos.json.php and objects\/video.php components. The catName parameter in a JSON‑formatted POST request is not sanitized after JSON input is merged into $_REQUEST, allowing the payload to bypass the existing sanitization mechanisms. This flaw permits execution of arbitrary SQL statements against the database used by the application.
Affected Systems
All installations of WWBN AVideo versions earlier than 24.0 are affected. The flaw resides in the objects\/videos.json.php and objects\/video.php endpoints.
Risk and Exploitability
The CVSS score of 9.8 indicates a high severity vulnerability, and the EPSS score of 2% suggests a low but non‑zero probability of exploitation in the current environment. Based on the description, it is inferred that authentication is not required to reach the vulnerable endpoint, making the attack vector simple and accessible to anyone with network access to the application. The vulnerability is not yet listed in the CISA KEV catalog.
OpenCVE Enrichment
Github GHSA