Skip to content

Commit bd73d98

Browse files
author
jenkins-metasploit
committed
automatic module_metadata_base.json update
1 parent a90ec10 commit bd73d98

1 file changed

Lines changed: 55 additions & 0 deletions

File tree

db/modules_metadata_base.json

Lines changed: 55 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -21071,6 +21071,61 @@
2107121071
"needs_cleanup": false,
2107221072
"actions": []
2107321073
},
21074+
"auxiliary_gather/avideo_catname_sqli": {
21075+
"name": "AVideo Unauthenticated SQL Injection Credential Dump",
21076+
"fullname": "auxiliary/gather/avideo_catname_sqli",
21077+
"aliases": [],
21078+
"rank": 300,
21079+
"disclosure_date": "2026-03-05",
21080+
"type": "auxiliary",
21081+
"author": [
21082+
"arkmarta",
21083+
"Valentin Lobstein <chocapikk@leakix.net>"
21084+
],
21085+
"description": "AVideo <= 22.0 is vulnerable to unauthenticated SQL injection via the\n catName parameter in objects/videos.json.php (CVE-2026-28501).\n\n The security filter in security.php sanitizes GET/POST parameters but\n does not cover JSON request bodies. Since videos.json.php parses JSON\n input and merges it into $_REQUEST after the filter runs, a catName\n value sent as JSON bypasses sanitization entirely and reaches\n getCatSQL() unsanitized.\n\n This module uses time-based blind injection with BENCHMARK() to dump\n usernames and password hashes. SLEEP() is blocked by the sqlDAL\n prepared statement layer, but BENCHMARK(N*(condition), SHA1(x)) works\n because the condition is evaluated as a multiplier on the iteration\n count, avoiding the subquery restrictions imposed by prepare().\n\n Fixed in 24.0 (no 23.0 release exists).",
21086+
"references": [
21087+
"CVE-2026-28501",
21088+
"GHSA-pv87-r9qf-x56p"
21089+
],
21090+
"platform": "",
21091+
"arch": "",
21092+
"rport": 80,
21093+
"autofilter_ports": [
21094+
80,
21095+
8080,
21096+
443,
21097+
8000,
21098+
8888,
21099+
8880,
21100+
8008,
21101+
3000,
21102+
8443
21103+
],
21104+
"autofilter_services": [
21105+
"http",
21106+
"https"
21107+
],
21108+
"targets": null,
21109+
"mod_time": "2026-03-23 01:52:06 +0000",
21110+
"path": "/modules/auxiliary/gather/avideo_catname_sqli.rb",
21111+
"is_install_path": true,
21112+
"ref_name": "gather/avideo_catname_sqli",
21113+
"check": true,
21114+
"post_auth": false,
21115+
"default_credential": false,
21116+
"notes": {
21117+
"Stability": [
21118+
"crash-safe"
21119+
],
21120+
"SideEffects": [
21121+
"ioc-in-logs"
21122+
],
21123+
"Reliability": []
21124+
},
21125+
"session_types": false,
21126+
"needs_cleanup": false,
21127+
"actions": []
21128+
},
2107421129
"auxiliary_gather/avtech744_dvr_accounts": {
2107521130
"name": "AVTECH 744 DVR Account Information Retrieval",
2107621131
"fullname": "auxiliary/gather/avtech744_dvr_accounts",

0 commit comments

Comments
 (0)