AVideo video-sharing software contains a critical command injection vulnerability that allows unauthenticated attackers to execute OS commands and fully compromise the server.

This vulnerability is caused by improper sanitization of the base64Url GET parameter. An unauthenticated attacker can inject shell command substitution sequences into this parameter, which are then executed by the server. This provides a direct path to remote code execution.

A successful exploit results in total server takeover. Attackers can exfiltrate sensitive configuration files, steal database credentials, and disrupt video services. Given the unauthenticated nature of the attack, any AVideo instance exposed to the internet is at extreme risk of being used for data theft or as part of a botnet. The CVSS score of 9.8 reflects this maximum risk.

Immediate Action: Immediately upgrade AVideo to version 7.0 or later. This version contains the necessary patches to sanitize the vulnerable parameter.

Proactive Monitoring: Check web server access logs for suspicious strings or encoded shell commands within the base64Url parameter.

Compensating Controls: Deploy a Web Application Firewall (WAF) to filter for common shell injection patterns (e.g., backticks, $(), or pipe symbols) in GET requests.

Public Exploit Available: No

This is a "worst-case" vulnerability for a web-facing application. The ability for an unauthenticated user to execute system commands requires immediate remediation. Disable affected AVideo instances until they can be updated to version 7.0 to prevent imminent compromise.