A critical unauthenticated SQL injection vulnerability in WWBN AVideo allows remote attackers to compromise the backend database and exfiltrate sensitive information.

This unauthenticated SQL injection exists in the objects/videos.json.php and objects/video.php components. The application fails to sanitize the catName parameter when it is delivered via a JSON POST request, effectively bypassing global security filters that are only applied to standard form-encoded data.

This vulnerability carries a CVSS score of 9.8. An attacker can exploit this flaw to read, modify, or delete any data within the database, including user credentials, private video metadata, and site configurations. In many environments, this can be further escalated to remote code execution (RCE) on the underlying server.

Immediate Action: Update WWBN AVideo to version 24.0 or later immediately to address the insecure handling of JSON-based input parameters.

Proactive Monitoring: Monitor database logs for unusual query patterns and review web logs for POST requests to the affected PHP files containing SQL keywords or suspicious JSON structures.

Compensating Controls: Configure a Web Application Firewall (WAF) to inspect JSON bodies for SQL injection payloads and block any requests that attempt to exploit the catName parameter.

Public Exploit Available: false

Applying the version 24.0 update is critical for all AVideo installations. Given that this is an unauthenticated flaw, the window for remediation is narrow, and the patch should be treated as a top-priority security emergency.