| عنوان | welovemedia FFmate <= v2.0.15 Argument Injection |
|---|
| الوصف | An argument injection vulnerability exists in FFmate ≤ v2.0.15 at the FFmpeg command execution functionality, where user-controlled command parameters are passed directly to the FFmpeg binary without sufficient validation or sanitization. While the application attempts to prevent command injection through shell escaping, attackers can still manipulate FFmpeg's extensive argument options to perform unintended operations. Specifically, by crafting malicious preset commands that leverage FFmpeg's metadata writing capabilities, attackers can construct text files with arbitrary content and write them to arbitrary filesystem locations accessible to the application process. This enables attackers to overwrite critical system files, inject SSH authorized keys for remote access, modify application configuration files, and potentially achieve full remote code execution. Mitigations include implementing strict allowlists for permitted FFmpeg arguments and output formats, validating and restricting output file paths to designated safe directories, removing dangerous FFmpeg capabilities such as arbitrary metadata file writing, and conducting thorough input validation on all user-supplied preset commands. |
|---|
| المصدر | ⚠️ https://github.com/CC-T-454455/Vulnerabilities/tree/master/ffmate/vulnerability-3 |
|---|
| المستخدم | Anonymous User |
|---|
| ارسال | 22/02/2026 04:49 PM (2 أشهر منذ) |
|---|
| الاعتدال | 06/03/2026 10:29 PM (12 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 349584 [welovemedia FFmate حتى 2.0.15 ffmpeg.go Execute تجاوز الصلاحيات] |
|---|
| النقاط | 20 |
|---|