CVE-2023-49599: 
PHP vulnerability analysis and mitigation

An insufficient entropy vulnerability exists in the salt generation functionality of WWBN AVideo dev master commit 15fed957fb. The vulnerability (CVE-2023-49599) allows an attacker to gather system information via HTTP requests and brute force the salt offline, leading to forging a legitimate password recovery code for the admin user (Talos Report).

The vulnerability exists in the salt generation process during installation, which uses PHP's uniqid() function that does not generate cryptographically secure values. The salt is used for AES-256-CBC encryption of password recovery codes. The encryption process uses a combination of the installation path as IV and the SHA256 hash of the salt as the secret key. The vulnerability stems from the predictable nature of uniqid() which generates values based on system time (Talos Report).

The vulnerability allows an attacker to forge valid password recovery codes for administrator accounts. By successfully exploiting this vulnerability, an attacker could reset an administrator's password without having access to the administrator's email, effectively gaining unauthorized administrative access to the system (Talos Report).

The vulnerability has been patched in a vendor release on December 18, 2023. Users are advised to update to the patched version of WWBN AVideo (Talos Report).