WWBN AVideo, an open source video platform, contains a path traversal vulnerability (CWE-22) in versions 29.0 and earlier. The vulnerability is due to an incomplete fix for the CloneSite feature's deleteDump parameter, which does not apply adequate filtering to prevent path traversal via '../../' sequences in a GET request. This flaw enables an attacker with low privileges to invoke unlink() on arbitrary files, potentially causing denial of service or other impacts by deleting critical files. A code commit (3c729717c26f160014a5c86b0b6accdbd613e7b2) includes an updated fix for this issue. The CVSS 3.1 score is 8.1, reflecting network attack vector, low attack complexity, low privileges required, no user interaction, unchanged scope, no confidentiality impact, but high integrity and availability impact.

The vulnerability allows an attacker with low privileges to delete arbitrary files on the affected system by exploiting path traversal sequences in a GET parameter. This can lead to high impact on integrity and availability of the system, potentially causing denial of service or disruption of service. There is no reported confidentiality impact. No known exploits in the wild have been reported to date.

An updated fix addressing this vulnerability is available in the referenced commit 3c729717c26f160014a5c86b0b6accdbd613e7b2. Users of WWBN AVideo version 29.0 and below should apply this fix or upgrade to a version that includes it. Patch status is not explicitly confirmed in the advisory, so users should verify the vendor's repository or official channels for the patched release. Until patched, restrict access to the affected functionality and monitor for suspicious activity related to the CloneSite deleteDump parameter.