Unauthenticated attackers can compromise the WWBN AVideo database via SQL injection in the stream key lookup process, potentially leading to full system takeover.

A SQL injection exists in the Live_schedule::keyExists() method. While the primary lookup is parameterized, a fallback mechanism interpolates the stream key directly into a SQL string. This path is accessible to unauthenticated attackers during RTMP publish authentication.

A successful SQL injection can lead to the exposure of sensitive user data, administrative credentials, and video content. Depending on database permissions, an attacker might also achieve remote code execution on the underlying server. The CVSS score of 9.1 underscores the critical risk to data confidentiality and system integrity.

Immediate Action: Since no patched version is available as of publication, administrators should consider disabling RTMP publishing or implementing strict input validation at the reverse proxy level.

Proactive Monitoring: Monitor database logs for unusual query syntax or errors originating from the Live_schedule class.

Compensating Controls: Deploy a Web Application Firewall (WAF) with SQL injection protection rules specifically targeting the RTMP authentication endpoints.

Public Exploit Available: false

Organizations using WWBN AVideo must be on high alert due to the lack of an official patch. It is recommended to monitor the vendor's repository for security updates and apply them the moment they become available. In the interim, implement aggressive WAF filtering to block potential SQL injection payloads in stream key parameters.