CVE-2022-24739: 
PHP vulnerability analysis and mitigation

CVE-2022-24739 affects alltube, an HTML front end for youtube-dl, in versions prior to 3.0.3. The vulnerability was discovered and disclosed on March 8, 2022. The issue allows attackers to craft special HTML pages to trigger either an open redirect attack or a Server-Side Request Forgery (SSRF) attack, depending on the application's configuration (GitHub Advisory).

The vulnerability stems from insufficient URL validation in the application. An attacker could exploit this by crafting special HTML pages that could lead to SSRF or open redirect attacks. The vulnerability has received a CVSS v3.1 base score of 7.3 (HIGH) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L. The issue is tracked under two CWE categories: CWE-918 (Server-Side Request Forgery) and CWE-601 (URL Redirection to Untrusted Site) (GitHub Advisory).

The vulnerability can lead to Server-Side Request Forgery (SSRF) attacks or open redirect attacks. However, the SSRF attack impact is mitigated as it is only possible when the 'stream' option is enabled in the configuration, which is disabled by default (GitHub Advisory).

The vulnerability has been fixed in version 3.0.3. The fix includes applying a patch to youtube-dl to disable its generic extractor. Users of version 3.0.3 with the bundled youtube-dl are protected. However, users with custom unpatched youtube-dl installations might still be vulnerable. Note that versions 1.x and 2.x are no longer maintained (GitHub Advisory).