{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/avideo--29.0/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["AVideo (\u003c= 29.0)"],"_cs_severities":["high"],"_cs_tags":["avideo","api-disclosure","unauthorized-access"],"_cs_type":"advisory","_cs_vendors":["wwbn"],"content_html":"\u003cp\u003eAVideo, a video-sharing platform, is vulnerable to a critical security flaw that allows unauthenticated users to access sensitive API secrets. Specifically, the \u003ccode\u003eobjects/plugins.json.php\u003c/code\u003e endpoint, intended to provide plugin configuration details, inadvertently exposes the \u003ccode\u003eAPISecret\u003c/code\u003e within the \u003ccode\u003eobject_data\u003c/code\u003e. This vulnerability, present in versions 29.0 and earlier, allows an attacker to bypass authentication and directly interact with protected API endpoints. By extracting the \u003ccode\u003eAPISecret\u003c/code\u003e, an attacker can then craft API requests to access restricted data, such as user lists, without proper authorization. This poses a significant risk to data confidentiality and integrity within AVideo installations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker discovers the publicly accessible \u003ccode\u003eobjects/plugins.json.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker sends an HTTP GET request to \u003ccode\u003eobjects/plugins.json.php\u003c/code\u003e to retrieve plugin configurations.\u003c/li\u003e\n\u003cli\u003eThe server responds with a JSON payload containing plugin \u003ccode\u003eobject_data\u003c/code\u003e, including the \u003ccode\u003eAPISecret\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker extracts the \u003ccode\u003eAPISecret\u003c/code\u003e from the JSON response.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious API request to the \u003ccode\u003eplugin/API/get.json.php\u003c/code\u003e endpoint, including the \u003ccode\u003eAPISecret\u003c/code\u003e as an authentication token.\u003c/li\u003e\n\u003cli\u003eThe attacker specifies the desired \u003ccode\u003eAPIName\u003c/code\u003e (e.g., \u003ccode\u003eusers_list\u003c/code\u003e) and other parameters (e.g., \u003ccode\u003erowCount\u003c/code\u003e, \u003ccode\u003ecurrent\u003c/code\u003e) in the API request.\u003c/li\u003e\n\u003cli\u003eThe server incorrectly validates the request based on the provided \u003ccode\u003eAPISecret\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe server responds with the requested data, granting the attacker unauthorized access to protected information.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability grants unauthorized access to sensitive data managed by the AVideo platform. An attacker could potentially access user lists and other restricted information. The number of affected installations is currently unknown, but any instance running AVideo version 29.0 or earlier is susceptible. This can lead to data breaches, privacy violations, and potential misuse of user information.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the recommended fix of requiring admin authentication for the full plugin inventory/config endpoint (as suggested in the advisory).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;AVideo API Secret Disclosure Attempt\u0026rdquo; to detect attempts to access the vulnerable \u003ccode\u003eobjects/plugins.json.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;AVideo Unauthorized API Access via APISecret\u0026rdquo; to detect unauthorized API calls using a disclosed API secret.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T12:00:00Z","date_published":"2024-01-09T12:00:00Z","id":"/briefs/2024-01-avideo-api-disclosure/","summary":"AVideo version 29.0 and earlier is vulnerable to unauthenticated API secret disclosure via a publicly accessible endpoint, allowing unauthorized access to protected API endpoints.","title":"AVideo API Secret Disclosure Leads to Unauthorized Access","url":"https://feed.craftedsignal.io/briefs/2024-01-avideo-api-disclosure/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["aVideo (\u003c= 29.0)"],"_cs_severities":["high"],"_cs_tags":["ssrf","avideo","dns-rebinding"],"_cs_type":"advisory","_cs_vendors":["wwbn"],"content_html":"\u003cp\u003eAVideo, version 29.0 and earlier, contains a Server-Side Request Forgery (SSRF) vulnerability due to insufficient validation of user-supplied URLs. Specifically, the \u003ccode\u003eisSSRFSafeURL()\u003c/code\u003e function, intended to prevent SSRF attacks, fails to account for HTTP redirects. This allows an attacker to bypass the intended security checks by providing a URL that initially appears safe but redirects to an internal resource, such as cloud metadata endpoints (169.254.169.254). Additionally, multiple callers of \u003ccode\u003eisSSRFSafeURL()\u003c/code\u003e discard the \u003ccode\u003e$resolvedIP\u003c/code\u003e parameter, creating a Time-of-Check Time-of-Use (TOCTOU) race condition exploitable via DNS rebinding. Attackers can manipulate DNS resolution to access internal services (127.0.0.1) that would otherwise be protected. Successful exploitation can lead to the disclosure of sensitive information, such as IAM credentials and internal service details.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious URL pointing to a server they control.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s server responds with a 302 redirect to an internal resource (e.g., \u003ccode\u003ehttp://169.254.169.254/latest/meta-data/\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker submits the initial malicious URL to a vulnerable AVideo endpoint (e.g., \u003ccode\u003e/plugin/AI/receiveAsync.json.php\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eisSSRFSafeURL()\u003c/code\u003e function validates the initial URL, which resolves to a public IP address, and incorrectly passes the check.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003efile_get_contents()\u003c/code\u003e function, without proper redirect restrictions, follows the 302 redirect to the internal resource.\u003c/li\u003e\n\u003cli\u003eThe request is made to the internal resource, bypassing the intended SSRF protections.\u003c/li\u003e\n\u003cli\u003eThe internal resource (e.g., cloud metadata) responds with sensitive information.\u003c/li\u003e\n\u003cli\u003eThe sensitive information (e.g., IAM credentials) is stored as a video thumbnail or image within the application, accessible to the attacker.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SSRF vulnerability allows an authenticated attacker to force the AVideo server to make HTTP requests to arbitrary internal hosts. This includes cloud metadata endpoints (e.g., 169.254.169.254), potentially leading to the exfiltration of IAM credentials and instance identity information. Attackers can also access internal services on localhost (127.0.0.1) or the private network, such as databases, admin panels, and monitoring systems. The exfiltrated data can be retrieved through the application\u0026rsquo;s public interface, increasing the severity of the impact.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the suggested fix by routing affected files through \u003ccode\u003eurl_get_contents()\u003c/code\u003e to safely handle redirects, as detailed in the advisory.\u003c/li\u003e\n\u003cli\u003eAs an alternative to using \u003ccode\u003eurl_get_contents()\u003c/code\u003e, implement an explicit no-redirect context when calling \u003ccode\u003efile_get_contents()\u003c/code\u003e to prevent automatic redirect following.\u003c/li\u003e\n\u003cli\u003eUpdate all callers of \u003ccode\u003eisSSRFSafeURL()\u003c/code\u003e to capture the \u003ccode\u003e$resolvedIP\u003c/code\u003e parameter and pass it to a DNS-pinning-aware fetch function using \u003ccode\u003eCURLOPT_RESOLVE\u003c/code\u003e to mitigate DNS rebinding attacks.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests containing internal IP addresses (169.254.169.254, 127.0.0.1) in the URL, as these may indicate SSRF attempts.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM and tune for your environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-avideo-ssrf/","summary":"AVideo is vulnerable to Server-Side Request Forgery (SSRF) due to improper validation of user-supplied URLs that does not prevent HTTP redirects, and DNS rebinding due to discarded resolved IP addresses.","title":"AVideo SSRF Vulnerability via HTTP Redirect and DNS Rebinding","url":"https://feed.craftedsignal.io/briefs/2024-01-avideo-ssrf/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["avideo (\u003c= 29.0)"],"_cs_severities":["high"],"_cs_tags":["avideo","information_disclosure","database_dump"],"_cs_type":"advisory","_cs_vendors":["wwbn"],"content_html":"\u003cp\u003eAVideo, a video sharing platform, is vulnerable to an unauthenticated information disclosure flaw in its CloneSite plugin. The vulnerability resides in the \u003ccode\u003eplugin/CloneSite/cloneClient.json.php\u003c/code\u003e endpoint. This endpoint inadvertently echoes the local CloneSite shared secret (\u003ccode\u003e$objClone-\u0026gt;myKey\u003c/code\u003e) in HTTP responses without requiring any form of authentication. This secret is intended to authenticate requests between federated AVideo instances using the CloneSite plugin. An attacker can exploit this vulnerability by simply sending a GET request to the vulnerable endpoint, obtaining the \u003ccode\u003emyKey\u003c/code\u003e. When the AVideo installation is federated with a remote CloneSite server, the attacker can use the leaked \u003ccode\u003emyKey\u003c/code\u003e to impersonate the victim client and trigger a full database dump of the remote server. This database dump includes sensitive information such as user credentials, payment records, and API keys. The vulnerability affects AVideo version 29.0 and earlier.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker sends an unauthenticated GET request to \u003ccode\u003ehttps://victim.example.com/plugin/CloneSite/cloneClient.json.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe AVideo server echoes the local \u003ccode\u003e$objClone-\u0026gt;myKey\u003c/code\u003e within the HTTP response body due to a flawed error message construction.\u003c/li\u003e\n\u003cli\u003eThe attacker extracts the leaked \u003ccode\u003e$objClone-\u0026gt;myKey\u003c/code\u003e from the response.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious request to the remote CloneSite server (\u003ccode\u003ehttps://remote-server.example.com/plugin/CloneSite/cloneServer.json.php\u003c/code\u003e) using the leaked \u003ccode\u003e$objClone-\u0026gt;myKey\u003c/code\u003e and the victim\u0026rsquo;s URL.\u003c/li\u003e\n\u003cli\u003eThe remote CloneSite server validates the attacker\u0026rsquo;s request using the provided key, successfully authenticating the attacker as the victim client.\u003c/li\u003e\n\u003cli\u003eThe remote server executes a \u003ccode\u003emysqldump\u003c/code\u003e command, dumping the entire database (excluding \u003ccode\u003eCachesInDB\u003c/code\u003e) to a publicly accessible directory (\u003ccode\u003evideos/clones/\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves the database dump from the remote server via an unauthenticated HTTP GET request to \u003ccode\u003ehttps://remote-server.example.com/videos/clones/Clone_mysqlDump_*.sql\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker analyzes the database dump, gaining access to sensitive information such as user credentials, payment records, and API keys.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows any unauthenticated attacker to retrieve the CloneSite shared secret (\u003ccode\u003emyKey\u003c/code\u003e) of any AVideo installation with the CloneSite plugin enabled. When the affected installation is federated with a remote CloneSite server, the attacker can impersonate the victim client and trigger a full database dump of the remote server containing sensitive data. This can lead to the compromise of user accounts, financial information, and sensitive plugin configurations on the remote server. This vulnerability permits unauthorized access to critical data, potentially resulting in severe data breaches and financial losses.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the recommended fix by not echoing the expected key in the rejection message within \u003ccode\u003eplugin/CloneSite/cloneClient.json.php\u003c/code\u003e, and reject non-CLI / non-admin callers cleanly, as detailed in the overview (see code snippet in advisory).\u003c/li\u003e\n\u003cli\u003eImplement the additional hardening recommendations, including replacing the static \u003ccode\u003emyKey\u003c/code\u003e with a randomly generated, per-installation key stored in the plugin configuration that can be rotated.\u003c/li\u003e\n\u003cli\u003eOn the remote side (\u003ccode\u003ecloneServer.json.php\u003c/code\u003e), consider requiring the \u003ccode\u003esqlFile\u003c/code\u003e path to be unguessable (already is, via \u003ccode\u003euniqid()\u003c/code\u003e) AND gating the dump behind an IP allowlist or an additional pre-shared rotating token.\u003c/li\u003e\n\u003cli\u003eServe \u003ccode\u003evideos/clones/\u003c/code\u003e with an \u003ccode\u003e.htaccess\u003c/code\u003e/nginx rule that denies direct HTTP access, so that even if a rogue client is authenticated, the dump is not downloadable over the web.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-avideo-clonesite-leak/","summary":"AVideo is vulnerable to unauthenticated information disclosure via the `plugin/CloneSite/cloneClient.json.php` endpoint, which echoes the local CloneSite shared secret (`$objClone-\u003emyKey`) in HTTP responses without authentication, enabling cross-site database dumps of the configured clone server.","title":"AVideo CloneSite Unauthenticated Information Disclosure Leading to Remote Database Dump","url":"https://feed.craftedsignal.io/briefs/2024-01-avideo-clonesite-leak/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["AVideo (\u003c= 29.0)"],"_cs_severities":["high"],"_cs_tags":["avideo","xss","websocket","vulnerability"],"_cs_type":"advisory","_cs_vendors":["wwbn"],"content_html":"\u003cp\u003eAVideo is vulnerable to an unauthenticated cross-site scripting (XSS) vulnerability stemming from an incomplete fix for the YPTSocket \u003ccode\u003eautoEvalCodeOnHTML\u003c/code\u003e eval sink (GHSA-gph2-j4c9-vhhr). The initial patch only stripped the payload when present under \u003ccode\u003e$json['msg']\u003c/code\u003e, but the relay function \u003ccode\u003emsgToResourceId()\u003c/code\u003e prioritizes \u003ccode\u003e$msg['json']\u003c/code\u003e before \u003ccode\u003e$msg['msg']\u003c/code\u003e. An unauthenticated attacker can exploit this flaw by obtaining a WebSocket token from \u003ccode\u003eplugin/YPTSocket/getWebSocket.json.php\u003c/code\u003e, connecting to the WebSocket server, and sending a message with \u003ccode\u003eautoEvalCodeOnHTML\u003c/code\u003e nested under a top-level \u003ccode\u003ejson\u003c/code\u003e field. This bypasses the strip branch, delivering the payload verbatim to any logged-in user identified by \u003ccode\u003eto_users_id\u003c/code\u003e, and the client script executes it via \u003ccode\u003eeval()\u003c/code\u003e. Versions of AVideo up to and including 29.0 are affected if they have not implemented the recommended fixes.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker requests a WebSocket token from \u003ccode\u003eplugin/YPTSocket/getWebSocket.json.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe server issues a valid WebSocket token without authentication or CSRF checks.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes a WebSocket connection to the server using the obtained token.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious message containing JavaScript code within the \u003ccode\u003eautoEvalCodeOnHTML\u003c/code\u003e field, nested under a top-level \u003ccode\u003ejson\u003c/code\u003e field: \u003ccode\u003e{\u0026quot;msg\u0026quot;: \u0026quot;x\u0026quot;, \u0026quot;json\u0026quot;: {\u0026quot;autoEvalCodeOnHTML\u0026quot;: \u0026quot;\u0026lt;js\u0026gt;\u0026quot;}, \u0026quot;to_users_id\u0026quot;: \u0026lt;victim\u0026gt;}\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted message to the WebSocket server.\u003c/li\u003e\n\u003cli\u003eThe server-side validation logic in \u003ccode\u003eplugin/YPTSocket/Message.php\u003c/code\u003e fails to properly sanitize the \u003ccode\u003eautoEvalCodeOnHTML\u003c/code\u003e field due to the bypass.\u003c/li\u003e\n\u003cli\u003eThe server relays the message to the targeted user (\u003ccode\u003eto_users_id\u003c/code\u003e) via the WebSocket connection.\u003c/li\u003e\n\u003cli\u003eThe client-side script (\u003ccode\u003eplugin/YPTSocket/script.js\u003c/code\u003e) receives the message and executes the JavaScript code within \u003ccode\u003eautoEvalCodeOnHTML\u003c/code\u003e via \u003ccode\u003eeval()\u003c/code\u003e, leading to XSS.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability allows for unauthenticated XSS and arbitrary JavaScript execution within any logged-in user\u0026rsquo;s browser session. A successful exploit enables attackers to compromise the same-origin policy, potentially leading to session data exfiltration, authenticated XHR calls on the victim\u0026rsquo;s behalf, privilege escalation (if targeting an administrator), and mass exploitation by enumerating active users via the \u003ccode\u003egetClientsList\u003c/code\u003e request. Deployments that only patched to commit \u003ccode\u003ec08694bf6\u003c/code\u003e remain vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the recommended patch by scrubbing \u003ccode\u003eautoEvalCodeOnHTML\u003c/code\u003e from \u003cstrong\u003eevery\u003c/strong\u003e outbound carrier the relay may choose in \u003ccode\u003eplugin/YPTSocket/Message.php\u003c/code\u003e and \u003ccode\u003eplugin/YPTSocket/MessageSQLiteV2.php\u003c/code\u003e as described in the advisory.\u003c/li\u003e\n\u003cli\u003eHarden the relay in \u003ccode\u003emsgToResourceId()\u003c/code\u003e (both files) by recursively walking the chosen \u003ccode\u003e$obj['msg']\u003c/code\u003e and unsetting \u003ccode\u003eautoEvalCodeOnHTML\u003c/code\u003e when the message originated from a non-PHP, non-CLI client.\u003c/li\u003e\n\u003cli\u003eAs defense in depth, remove or gate the client-side \u003ccode\u003eeval(json.msg.autoEvalCodeOnHTML)\u003c/code\u003e at \u003ccode\u003eplugin/YPTSocket/script.js:573-575\u003c/code\u003e behind a server-signed field rather than a plain JSON key.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect AVideo YPTSocket autoEvalCodeOnHTML Bypass\u003c/code\u003e to detect attempts to exploit this vulnerability by monitoring for WebSocket messages containing the \u003ccode\u003eautoEvalCodeOnHTML\u003c/code\u003e field within a \u003ccode\u003ejson\u003c/code\u003e field.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-avideo-xss/","summary":"AVideo is vulnerable to unauthenticated cross-site scripting (XSS) due to an incomplete server-side fix for a YPTSocket `autoEvalCodeOnHTML` eval sink, allowing an attacker to bypass the fix by nesting the payload under a top-level `json` field, leading to arbitrary JavaScript execution in any logged-in user's browser session.","title":"AVideo Unauthenticated Cross-User JavaScript Execution via YPTSocket Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-avideo-xss/"}],"language":"en","title":"CraftedSignal Threat Feed — AVideo (\u003c= 29.0)","version":"https://jsonfeed.org/version/1.1"}