Main Vulnerability Database Vulnerabilities #VU22466

OS Command Injection in YouPHPTube-Encoder - CVE-2019-5127

Published: November 1, 2019

Vulnerability identifier: #VU22466

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2019-5127

CWE-ID: CWE-78

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: YouPHPTube

Affected software:
YouPHPTube-Encoder

Detailed vulnerability description

The vulnerability allows a remote attacker to execute arbitrary shell commands on the target server.

The vulnerability exists due to insufficient sanitization of user-supplied data passed via the "base64Url" parameter in "/objects/getImage.php" URL. A remote unauthenticated attacker can send a specially crafted web request containing specific parameter and execute arbitrary OS commands on the target server.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

How to mitigate CVE-2019-5127

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Sources

https://talosintelligence.com/vulnerability_reports/TALOS-2019-0917

OS Command Injection in YouPHPTube-Encoder - CVE-2019-5127

Detailed vulnerability description

How to mitigate CVE-2019-5127

Sources

Please verify you're human