{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/avideo-platform/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["AVideo Platform"],"_cs_severities":["critical"],"_cs_tags":["avideo","authentication-bypass","cve-2026-33716"],"_cs_type":"advisory","_cs_vendors":["AVideo"],"content_html":"\u003cp\u003eAVideo, an open-source video platform, is vulnerable to an authentication bypass flaw affecting versions up to and including 26.0. The vulnerability resides in the \u003ccode\u003eplugin/Live/standAloneFiles/control.json.php\u003c/code\u003e endpoint, which handles live stream control. By manipulating the \u003ccode\u003estreamerURL\u003c/code\u003e parameter, a malicious actor can redirect token verification requests to a server under their control. This malicious server is designed to always return a positive authentication response (\u003ccode\u003e{\u0026quot;error\u0026quot;: false}\u003c/code\u003e), effectively bypassing the intended authentication process. This allows an unauthenticated attacker to take complete control over any live stream hosted on the platform. The vulnerability was patched in commit 388fcd57dbd16f6cb3ebcdf1d08cf2b929941128. This vulnerability poses a severe risk to AVideo platforms as it could lead to unauthorized modification or disruption of live streams.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies an AVideo platform running a vulnerable version (\u0026lt;= 26.0).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request targeting the \u003ccode\u003eplugin/Live/standAloneFiles/control.json.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eWithin the POST request, the attacker includes the \u003ccode\u003estreamerURL\u003c/code\u003e parameter, setting its value to a URL pointing to a server under their control.\u003c/li\u003e\n\u003cli\u003eThe attacker's server is configured to respond to any token verification request with a JSON response: \u003ccode\u003e{\u0026quot;error\u0026quot;: false}\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe AVideo platform, upon receiving the crafted request, sends a token verification request to the attacker-controlled \u003ccode\u003estreamerURL\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker's server responds with \u003ccode\u003e{\u0026quot;error\u0026quot;: false}\u003c/code\u003e, tricking the AVideo platform into believing the user is authenticated.\u003c/li\u003e\n\u003cli\u003eThe attacker can then use other parameters in the \u003ccode\u003econtrol.json.php\u003c/code\u003e endpoint to perform unauthorized actions on live streams, such as dropping active publishers.\u003c/li\u003e\n\u003cli\u003eThe attacker can also start/stop recordings or probe for the existence of live streams.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-33716 allows an unauthenticated attacker to gain full control over live streams on the affected AVideo platform. This can lead to various detrimental outcomes, including unauthorized termination of legitimate streams, injection of malicious content into live broadcasts, and disruption of service. The CVSS v3.1 base score for this vulnerability is 9.4, indicating a critical severity level. The number of affected AVideo platforms is unknown, but any instance running a version up to 26.0 is susceptible to this attack.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch from commit 388fcd57dbd16f6cb3ebcdf1d08cf2b929941128 to remediate CVE-2026-33716.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect exploitation attempts against the \u003ccode\u003eplugin/Live/standAloneFiles/control.json.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for POST requests to \u003ccode\u003eplugin/Live/standAloneFiles/control.json.php\u003c/code\u003e containing the \u003ccode\u003estreamerURL\u003c/code\u003e parameter.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-17T12:00:00Z","date_published":"2024-01-17T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-avideo-auth-bypass/","summary":"AVideo platform versions up to 26.0 are vulnerable to unauthenticated control of live streams due to manipulation of the `streamerURL` parameter in the `control.json.php` endpoint, enabling actions like dropping publishers or starting/stopping recordings.","title":"AVideo Platform Unauthenticated Live Stream Control via streamerURL Manipulation","url":"https://feed.craftedsignal.io/briefs/2024-01-avideo-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed - AVideo Platform","version":"https://jsonfeed.org/version/1.1"}