<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>AVideo Platform - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/avideo-platform/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 17 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/avideo-platform/feed.xml" rel="self" type="application/rss+xml"/><item><title>AVideo Platform Unauthenticated Live Stream Control via streamerURL Manipulation</title><link>https://feed.craftedsignal.io/briefs/2024-01-avideo-auth-bypass/</link><pubDate>Wed, 17 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-avideo-auth-bypass/</guid><description>AVideo platform versions up to 26.0 are vulnerable to unauthenticated control of live streams due to manipulation of the `streamerURL` parameter in the `control.json.php` endpoint, enabling actions like dropping publishers or starting/stopping recordings.</description><content:encoded><![CDATA[<p>AVideo, an open-source video platform, is vulnerable to an authentication bypass flaw affecting versions up to and including 26.0. The vulnerability resides in the <code>plugin/Live/standAloneFiles/control.json.php</code> endpoint, which handles live stream control. By manipulating the <code>streamerURL</code> parameter, a malicious actor can redirect token verification requests to a server under their control. This malicious server is designed to always return a positive authentication response (<code>{&quot;error&quot;: false}</code>), effectively bypassing the intended authentication process. This allows an unauthenticated attacker to take complete control over any live stream hosted on the platform. The vulnerability was patched in commit 388fcd57dbd16f6cb3ebcdf1d08cf2b929941128. This vulnerability poses a severe risk to AVideo platforms as it could lead to unauthorized modification or disruption of live streams.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker identifies an AVideo platform running a vulnerable version (&lt;= 26.0).</li>
<li>The attacker crafts a malicious HTTP POST request targeting the <code>plugin/Live/standAloneFiles/control.json.php</code> endpoint.</li>
<li>Within the POST request, the attacker includes the <code>streamerURL</code> parameter, setting its value to a URL pointing to a server under their control.</li>
<li>The attacker's server is configured to respond to any token verification request with a JSON response: <code>{&quot;error&quot;: false}</code>.</li>
<li>The AVideo platform, upon receiving the crafted request, sends a token verification request to the attacker-controlled <code>streamerURL</code>.</li>
<li>The attacker's server responds with <code>{&quot;error&quot;: false}</code>, tricking the AVideo platform into believing the user is authenticated.</li>
<li>The attacker can then use other parameters in the <code>control.json.php</code> endpoint to perform unauthorized actions on live streams, such as dropping active publishers.</li>
<li>The attacker can also start/stop recordings or probe for the existence of live streams.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-33716 allows an unauthenticated attacker to gain full control over live streams on the affected AVideo platform. This can lead to various detrimental outcomes, including unauthorized termination of legitimate streams, injection of malicious content into live broadcasts, and disruption of service. The CVSS v3.1 base score for this vulnerability is 9.4, indicating a critical severity level. The number of affected AVideo platforms is unknown, but any instance running a version up to 26.0 is susceptible to this attack.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Apply the patch from commit 388fcd57dbd16f6cb3ebcdf1d08cf2b929941128 to remediate CVE-2026-33716.</li>
<li>Deploy the Sigma rule to detect exploitation attempts against the <code>plugin/Live/standAloneFiles/control.json.php</code> endpoint.</li>
<li>Monitor web server logs for POST requests to <code>plugin/Live/standAloneFiles/control.json.php</code> containing the <code>streamerURL</code> parameter.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>avideo</category><category>authentication-bypass</category><category>cve-2026-33716</category></item></channel></rss>