CVE-2022-34652
HIGHWWBN AVideo 11.6 and dev master commit 3f7c0364 - SQL Injection via Live Schedules Description Parameter
Title source: llmDescription
A sql injection vulnerability exists in the ObjectYPT functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to a SQL injection. An attacker can send an HTTP request to trigger this vulnerability.This vulnerability exists in the Live Schedules plugin, allowing an attacker to inject SQL by manipulating the description parameter.
References (2)
Core 2
Core References
Third Party Advisory x_refsource_confirm
https://github.com/WWBN/AVideo/blob/e04b1cd7062e16564157a82bae389eedd39fa088/updatedb/updateDb.v12.0.sql
Technical Description, Third Party Advisory x_refsource_misc
https://talosintelligence.com/vulnerability_reports/TALOS-2022-1551
Scores
CVSS v3
8.8
EPSS
0.0088
EPSS Percentile
54.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-89
Status
published
Products (1)
wwbn/avideo
11.6
Published
Aug 22, 2022
Tracked Since
Feb 18, 2026