{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/avideo/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["AVideo"],"_cs_severities":["high"],"_cs_tags":["command injection","avideo","webserver"],"_cs_type":"advisory","_cs_vendors":["WWBN"],"content_html":"\u003cp\u003eAVideo, a video-sharing platform, is susceptible to a critical OS command injection vulnerability (CVE-2026-45578) within the \u003ccode\u003eon_publish.php\u003c/code\u003e file. The issue stems from constructing a command line for \u003ccode\u003eexecAsync()\u003c/code\u003e by directly concatenating strings, single-quoting arguments without proper escaping using \u003ccode\u003eescapeshellarg()\u003c/code\u003e. This flaw, located in the YPTSocket notification branch of the Live plugin, enables a malicious actor to inject arbitrary commands by embedding a single quote (\u003ccode\u003e'\u003c/code\u003e) within the \u003ccode\u003e$m3u8\u003c/code\u003e URL or other command parameters. Successful exploitation allows the attacker to execute arbitrary OS commands with the privileges of the web server runtime user. This vulnerability affects AVideo versions up to and including 29.0. The lack of input sanitization and direct web accessibility to \u003ccode\u003eon_publish.php\u003c/code\u003e are key factors enabling this attack.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains a \u003ccode\u003ecanStream\u003c/code\u003e account on the AVideo platform.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious stream key containing a single quote and shell metacharacters (e.g., \u003ccode\u003eevilkey';id\u0026gt;/tmp/pwn;#\u003c/code\u003e) and persists it via \u003ccode\u003esaveLive.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAttacker sends a POST request directly to \u003ccode\u003ehttps://target/plugin/Live/on_publish.php\u003c/code\u003e with the crafted stream key in the \u003ccode\u003ename\u003c/code\u003e parameter and a valid password in the \u003ccode\u003ep\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eon_publish.php\u003c/code\u003e processes the POST request, strips \u003ccode\u003e\u0026amp;\u003c/code\u003e and \u003ccode\u003e=\u003c/code\u003e, but permits the single quote and other shell metacharacters in the stream key.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eLive::getM3U8File\u003c/code\u003e constructs the m3u8 URL with the injected payload (e.g., \u003ccode\u003ehttps://server/live/evilkey';id\u0026gt;/tmp/pwn;#.m3u8\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe command string is built using string concatenation without proper escaping, resulting in a vulnerable command.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eexecAsync()\u003c/code\u003e executes the command, leading to OS command injection.\u003c/li\u003e\n\u003cli\u003eAttacker achieves arbitrary OS command execution with the privileges of the web server user.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability (CVE-2026-45578) grants the attacker the ability to execute arbitrary OS commands on the AVideo server. This could lead to several consequences, including unauthorized access to sensitive data such as database credentials, exfiltration of user information, deployment of a webshell for persistent access, lateral movement to other plugin credentials (PayPal/Stripe API keys, AWS keys), or privilege escalation via local sudoers entries. The impact is significant, potentially leading to complete compromise of the AVideo platform.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the provided patch that utilizes \u003ccode\u003eescapeshellarg()\u003c/code\u003e on all variables interpolated into the command string in \u003ccode\u003eplugin/Live/on_publish.php\u003c/code\u003e to prevent shell injection (see code diff in Overview).\u003c/li\u003e\n\u003cli\u003eImplement an \u003ccode\u003e.htaccess\u003c/code\u003e or nginx \u003ccode\u003elocation\u003c/code\u003e rule to restrict access to \u003ccode\u003e/plugin/Live/on_publish.php\u003c/code\u003e to \u003ccode\u003e127.0.0.1\u003c/code\u003e and authorized RTMP server IPs as a defense-in-depth measure (see Overview).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect AVideo on_publish.php Command Injection Attempt\u0026quot; to identify potential exploitation attempts by monitoring for POST requests to \u003ccode\u003eon_publish.php\u003c/code\u003e with shell metacharacters in the \u003ccode\u003ename\u003c/code\u003e parameter (see Rules).\u003c/li\u003e\n\u003cli\u003eEnable webserver logging to capture HTTP requests, which are essential for detecting and investigating exploitation attempts (see Rules - logsource).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-15T18:34:29Z","date_published":"2026-05-15T18:34:29Z","id":"https://feed.craftedsignal.io/briefs/2026-05-avideo-cmd-injection/","summary":"AVideo is vulnerable to OS command injection (CVE-2026-45578) in the `on_publish.php` file due to improper sanitization of the m3u8 URL, allowing attackers to execute arbitrary commands by injecting shell metacharacters.","title":"AVideo OS Command Injection via Unescaped m3u8 URL (CVE-2026-45578)","url":"https://feed.craftedsignal.io/briefs/2026-05-avideo-cmd-injection/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["AVideo"],"_cs_severities":["high"],"_cs_tags":["authentication-bypass","account-takeover","web-application"],"_cs_type":"advisory","_cs_vendors":["composer","WWBN"],"content_html":"\u003cp\u003eAVideo is a video-sharing platform with a Meet plugin for video conferencing integration. The \u003ccode\u003euploadRecordedVideo.json.php\u003c/code\u003e endpoint in the Meet plugin is vulnerable to an authorization bypass. This vulnerability allows an attacker with knowledge of the Meet shared secret to authenticate as any user, including an administrator. The vulnerability stems from the endpoint using the filename of the uploaded video to determine the \u003ccode\u003eusers_id\u003c/code\u003e for authentication. An attacker can manipulate this filename to impersonate any user. The shared secret is calculable from the AVideo salt, often leaked via separate path-traversal vulnerabilities (e.g. \u003ccode\u003eGHSA-83xq-8jxj-4rxm\u003c/code\u003e or \u003ccode\u003eGHSA-4wmm-6qxj-fpj4\u003c/code\u003e) or recoverable via timing attack on \u003ccode\u003echeckToken.json.php\u003c/code\u003e. The affected version is AVideo version 29.0 and earlier.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker obtains the Meet shared secret through path traversal to read \u003ccode\u003evideos/configuration.php\u003c/code\u003e or by timing attacks against the \u003ccode\u003echeckToken.json.php\u003c/code\u003e endpoint. The secret is derived from \u003ccode\u003emd5($global['systemRootPath'] . $global['salt'] . \u0026quot;meet\u0026quot;)\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious HTTP POST request to \u003ccode\u003e/plugin/Meet/uploadRecordedVideo.json.php\u003c/code\u003e with the \u003ccode\u003eAuthorization: Bearer \u0026lt;Meet secret\u0026gt;\u003c/code\u003e header set.\u003c/li\u003e\n\u003cli\u003eThe POST request includes a multipart body with a file field named \u003ccode\u003eupl\u003c/code\u003e. The attacker sets the filename of the uploaded file to \u003ccode\u003e1-anything.mp4\u003c/code\u003e, where \u003ccode\u003e1\u003c/code\u003e is the target \u003ccode\u003eusers_id\u003c/code\u003e (e.g., the admin user).\u003c/li\u003e\n\u003cli\u003eThe server validates the Meet shared secret, but trusts the attacker-controlled filename to determine the \u003ccode\u003eusers_id\u003c/code\u003e on line 56 of \u003ccode\u003eplugin/Meet/uploadRecordedVideo.json.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe server instantiates a \u003ccode\u003eUser\u003c/code\u003e object using the attacker-provided \u003ccode\u003eusers_id\u003c/code\u003e and calls \u003ccode\u003e$userObject-\u0026gt;login(true, true)\u003c/code\u003e, triggering the passwordless login path in \u003ccode\u003eobjects/user.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe server sets \u003ccode\u003e$_SESSION['user']\u003c/code\u003e to the impersonated user's data, calls \u003ccode\u003esetUserCookie(...)\u003c/code\u003e, and issues a new session ID via \u003ccode\u003e_session_regenerate_id()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe HTTP response includes a \u003ccode\u003eSet-Cookie\u003c/code\u003e header with the new \u003ccode\u003ePHPSESSID\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the captured \u003ccode\u003ePHPSESSID\u003c/code\u003e cookie in subsequent requests to access the AVideo platform as the impersonated user, gaining full control of their account.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to gain unauthorized access to any user account on the AVideo platform, including administrator accounts. This can lead to complete system compromise, data breaches, and denial of service. There is no limit to which \u003ccode\u003eusers_id\u003c/code\u003e can be targeted. If the Meet plugin is enabled, all accounts are at risk. An attacker achieving admin privileges can modify video content, access sensitive user data, and manipulate system settings.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the vendor-provided patch to AVideo that includes the suggested fixes to \u003ccode\u003eplugin/Meet/uploadRecordedVideo.json.php\u003c/code\u003e and \u003ccode\u003eobjects/user.php\u003c/code\u003e as detailed in the advisory.\u003c/li\u003e\n\u003cli\u003eDeploy the \u0026quot;AVideo Meet Plugin Unauthorized Session Creation\u0026quot; Sigma rule to detect exploitation attempts.\u003c/li\u003e\n\u003cli\u003eRemove the \u003ccode\u003echeckToken.json.php\u003c/code\u003e endpoint or restrict access to administrators only to mitigate the timing attack vector.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for POST requests to \u003ccode\u003e/plugin/Meet/uploadRecordedVideo.json.php\u003c/code\u003e with unusual filenames in the \u003ccode\u003eupl\u003c/code\u003e file field.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-15T18:18:36Z","date_published":"2026-05-15T18:18:36Z","id":"https://feed.craftedsignal.io/briefs/2026-05-avideo-meet-auth-bypass/","summary":"AVideo's Meet plugin contains an authorization bypass vulnerability in the `uploadRecordedVideo.json.php` endpoint that derives `users_id` from the uploaded filename and calls passwordless `User-\u003elogin()`, allowing any caller with the Meet shared secret to obtain a session as arbitrary users including admin.","title":"AVideo Meet Plugin Authorization Bypass via Filename Parameter","url":"https://feed.craftedsignal.io/briefs/2026-05-avideo-meet-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed - AVideo","version":"https://jsonfeed.org/version/1.1"}