CVE-2023-49862 is a vulnerability classified under CWE-73 (External Control of File Name or Path) affecting the WWBN AVideo platform, an open-source video hosting and streaming solution. The vulnerability exists in the aVideoEncoderReceiveImage.json.php script, which handles image uploads. Specifically, the downloadURL_gifimage parameter is improperly validated, allowing an attacker to craft a malicious HTTP request that causes the server to read arbitrary files. This can lead to information disclosure of sensitive files on the server, potentially exposing configuration files, credentials, or other critical data. The vulnerability requires the attacker to have low-level privileges (PR:L), meaning some form of authentication is necessary, but no user interaction is required (UI:N). The attack vector is network-based (AV:N), and the vulnerability does not affect integrity or availability, only confidentiality. The affected version is the dev master commit 15fed957fb, indicating this is a development branch rather than a stable release. No patches have been linked yet, and no known exploits have been reported in the wild. The vulnerability's medium severity (CVSS 6.5) reflects the significant confidentiality impact balanced against the requirement for authentication and limited scope. This flaw could be leveraged by attackers who have gained low-level access to escalate their information gathering capabilities within the affected environment.

For European organizations using WWBN AVideo, particularly those running development or testing instances with the affected commit, this vulnerability poses a risk of sensitive information leakage. Confidential data such as server configuration files, credentials, or proprietary media metadata could be exposed, potentially aiding further attacks like privilege escalation or lateral movement. Media companies, educational institutions, or enterprises hosting internal video platforms may be impacted. Although the vulnerability requires authenticated access, insider threats or compromised low-privilege accounts could exploit it. The impact on confidentiality could lead to regulatory compliance issues under GDPR if personal data is exposed. However, since the vulnerability does not affect integrity or availability, direct disruption of services is unlikely. The lack of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits given time.

European organizations should immediately audit their WWBN AVideo deployments to identify if the affected dev master commit 15fed957fb is in use, particularly in development or staging environments. Restrict access to the aVideoEncoderReceiveImage.json.php endpoint to trusted users and networks, employing network segmentation and strong authentication controls. Implement strict input validation and sanitization for the downloadURL_gifimage parameter to prevent path traversal or arbitrary file read attempts. Monitor logs for unusual access patterns or attempts to exploit this parameter. Since no official patch is currently available, consider rolling back to a stable, unaffected version or applying custom fixes to validate and sanitize inputs. Educate developers and administrators about the risk and ensure that development branches are not exposed in production environments. Prepare to apply vendor patches promptly once released. Additionally, enforce the principle of least privilege for user accounts to limit the potential for exploitation.