https://feed.craftedsignal.io/products/avideo/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioFri, 15 May 2026 18:34:29 +0000https://feed.craftedsignal.io/briefs/2026-05-avideo-cmd-injection/Fri, 15 May 2026 18:34:29 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-avideo-cmd-injection/AVideo is vulnerable to OS command injection (CVE-2026-45578) in the `on_publish.php` file due to improper sanitization of the m3u8 URL, allowing attackers to execute arbitrary commands by injecting shell metacharacters.AVideo, a video-sharing platform, is susceptible to a critical OS command injection vulnerability (CVE-2026-45578) within the on_publish.php file. The issue stems from constructing a command line for execAsync() by directly concatenating strings, single-quoting arguments without proper escaping using escapeshellarg(). This flaw, located in the YPTSocket notification branch of the Live plugin, enables a malicious actor to inject arbitrary commands by embedding a single quote (') within the $m3u8 URL or other command parameters. Successful exploitation allows the attacker to execute arbitrary OS commands with the privileges of the web server runtime user. This vulnerability affects AVideo versions up to and including 29.0. The lack of input sanitization and direct web accessibility to on_publish.php are key factors enabling this attack.

Attack Chain

1. Attacker gains a canStream account on the AVideo platform.
2. Attacker crafts a malicious stream key containing a single quote and shell metacharacters (e.g., evilkey';id>/tmp/pwn;#) and persists it via saveLive.php.
3. Attacker sends a POST request directly to https://target/plugin/Live/on_publish.php with the crafted stream key in the name parameter and a valid password in the p parameter.
4. on_publish.php processes the POST request, strips & and =, but permits the single quote and other shell metacharacters in the stream key.
5. Live::getM3U8File constructs the m3u8 URL with the injected payload (e.g., https://server/live/evilkey';id>/tmp/pwn;#.m3u8).
6. The command string is built using string concatenation without proper escaping, resulting in a vulnerable command.
7. execAsync() executes the command, leading to OS command injection.
8. Attacker achieves arbitrary OS command execution with the privileges of the web server user.

Impact

Successful exploitation of this vulnerability (CVE-2026-45578) grants the attacker the ability to execute arbitrary OS commands on the AVideo server. This could lead to several consequences, including unauthorized access to sensitive data such as database credentials, exfiltration of user information, deployment of a webshell for persistent access, lateral movement to other plugin credentials (PayPal/Stripe API keys, AWS keys), or privilege escalation via local sudoers entries. The impact is significant, potentially leading to complete compromise of the AVideo platform.

Recommendation

• Apply the provided patch that utilizes escapeshellarg() on all variables interpolated into the command string in plugin/Live/on_publish.php to prevent shell injection (see code diff in Overview).
• Implement an .htaccess or nginx location rule to restrict access to /plugin/Live/on_publish.php to 127.0.0.1 and authorized RTMP server IPs as a defense-in-depth measure (see Overview).
• Deploy the Sigma rule "Detect AVideo on_publish.php Command Injection Attempt" to identify potential exploitation attempts by monitoring for POST requests to on_publish.php with shell metacharacters in the name parameter (see Rules).
• Enable webserver logging to capture HTTP requests, which are essential for detecting and investigating exploitation attempts (see Rules - logsource).

]]>highadvisorycommand injectionavideowebserverhttps://feed.craftedsignal.io/briefs/2026-05-avideo-meet-auth-bypass/Fri, 15 May 2026 18:18:36 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-avideo-meet-auth-bypass/AVideo's Meet plugin contains an authorization bypass vulnerability in the `uploadRecordedVideo.json.php` endpoint that derives `users_id` from the uploaded filename and calls passwordless `User->login()`, allowing any caller with the Meet shared secret to obtain a session as arbitrary users including admin.AVideo is a video-sharing platform with a Meet plugin for video conferencing integration. The uploadRecordedVideo.json.php endpoint in the Meet plugin is vulnerable to an authorization bypass. This vulnerability allows an attacker with knowledge of the Meet shared secret to authenticate as any user, including an administrator. The vulnerability stems from the endpoint using the filename of the uploaded video to determine the users_id for authentication. An attacker can manipulate this filename to impersonate any user. The shared secret is calculable from the AVideo salt, often leaked via separate path-traversal vulnerabilities (e.g. GHSA-83xq-8jxj-4rxm or GHSA-4wmm-6qxj-fpj4) or recoverable via timing attack on checkToken.json.php. The affected version is AVideo version 29.0 and earlier.

Attack Chain

1. Attacker obtains the Meet shared secret through path traversal to read videos/configuration.php or by timing attacks against the checkToken.json.php endpoint. The secret is derived from md5($global['systemRootPath'] . $global['salt'] . "meet").
2. Attacker crafts a malicious HTTP POST request to /plugin/Meet/uploadRecordedVideo.json.php with the Authorization: Bearer <Meet secret> header set.
3. The POST request includes a multipart body with a file field named upl. The attacker sets the filename of the uploaded file to 1-anything.mp4, where 1 is the target users_id (e.g., the admin user).
4. The server validates the Meet shared secret, but trusts the attacker-controlled filename to determine the users_id on line 56 of plugin/Meet/uploadRecordedVideo.json.php.
5. The server instantiates a User object using the attacker-provided users_id and calls $userObject->login(true, true), triggering the passwordless login path in objects/user.php.
6. The server sets $_SESSION['user'] to the impersonated user's data, calls setUserCookie(...), and issues a new session ID via _session_regenerate_id().
7. The HTTP response includes a Set-Cookie header with the new PHPSESSID.
8. The attacker uses the captured PHPSESSID cookie in subsequent requests to access the AVideo platform as the impersonated user, gaining full control of their account.

Impact

Successful exploitation of this vulnerability allows an attacker to gain unauthorized access to any user account on the AVideo platform, including administrator accounts. This can lead to complete system compromise, data breaches, and denial of service. There is no limit to which users_id can be targeted. If the Meet plugin is enabled, all accounts are at risk. An attacker achieving admin privileges can modify video content, access sensitive user data, and manipulate system settings.

Recommendation

• Apply the vendor-provided patch to AVideo that includes the suggested fixes to plugin/Meet/uploadRecordedVideo.json.php and objects/user.php as detailed in the advisory.
• Deploy the "AVideo Meet Plugin Unauthorized Session Creation" Sigma rule to detect exploitation attempts.
• Remove the checkToken.json.php endpoint or restrict access to administrators only to mitigate the timing attack vector.
• Monitor web server logs for POST requests to /plugin/Meet/uploadRecordedVideo.json.php with unusual filenames in the upl file field.

]]>highadvisoryauthentication-bypassaccount-takeoverweb-application