{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/api-disclosure/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["AVideo (\u003c= 29.0)"],"_cs_severities":["high"],"_cs_tags":["avideo","api-disclosure","unauthorized-access"],"_cs_type":"advisory","_cs_vendors":["wwbn"],"content_html":"\u003cp\u003eAVideo, a video-sharing platform, is vulnerable to a critical security flaw that allows unauthenticated users to access sensitive API secrets. Specifically, the \u003ccode\u003eobjects/plugins.json.php\u003c/code\u003e endpoint, intended to provide plugin configuration details, inadvertently exposes the \u003ccode\u003eAPISecret\u003c/code\u003e within the \u003ccode\u003eobject_data\u003c/code\u003e. This vulnerability, present in versions 29.0 and earlier, allows an attacker to bypass authentication and directly interact with protected API endpoints. By extracting the \u003ccode\u003eAPISecret\u003c/code\u003e, an attacker can then craft API requests to access restricted data, such as user lists, without proper authorization. This poses a significant risk to data confidentiality and integrity within AVideo installations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker discovers the publicly accessible \u003ccode\u003eobjects/plugins.json.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker sends an HTTP GET request to \u003ccode\u003eobjects/plugins.json.php\u003c/code\u003e to retrieve plugin configurations.\u003c/li\u003e\n\u003cli\u003eThe server responds with a JSON payload containing plugin \u003ccode\u003eobject_data\u003c/code\u003e, including the \u003ccode\u003eAPISecret\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker extracts the \u003ccode\u003eAPISecret\u003c/code\u003e from the JSON response.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious API request to the \u003ccode\u003eplugin/API/get.json.php\u003c/code\u003e endpoint, including the \u003ccode\u003eAPISecret\u003c/code\u003e as an authentication token.\u003c/li\u003e\n\u003cli\u003eThe attacker specifies the desired \u003ccode\u003eAPIName\u003c/code\u003e (e.g., \u003ccode\u003eusers_list\u003c/code\u003e) and other parameters (e.g., \u003ccode\u003erowCount\u003c/code\u003e, \u003ccode\u003ecurrent\u003c/code\u003e) in the API request.\u003c/li\u003e\n\u003cli\u003eThe server incorrectly validates the request based on the provided \u003ccode\u003eAPISecret\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe server responds with the requested data, granting the attacker unauthorized access to protected information.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability grants unauthorized access to sensitive data managed by the AVideo platform. An attacker could potentially access user lists and other restricted information. The number of affected installations is currently unknown, but any instance running AVideo version 29.0 or earlier is susceptible. This can lead to data breaches, privacy violations, and potential misuse of user information.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the recommended fix of requiring admin authentication for the full plugin inventory/config endpoint (as suggested in the advisory).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;AVideo API Secret Disclosure Attempt\u0026rdquo; to detect attempts to access the vulnerable \u003ccode\u003eobjects/plugins.json.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;AVideo Unauthorized API Access via APISecret\u0026rdquo; to detect unauthorized API calls using a disclosed API secret.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T12:00:00Z","date_published":"2024-01-09T12:00:00Z","id":"/briefs/2024-01-avideo-api-disclosure/","summary":"AVideo version 29.0 and earlier is vulnerable to unauthenticated API secret disclosure via a publicly accessible endpoint, allowing unauthorized access to protected API endpoints.","title":"AVideo API Secret Disclosure Leads to Unauthorized Access","url":"https://feed.craftedsignal.io/briefs/2024-01-avideo-api-disclosure/"}],"language":"en","title":"CraftedSignal Threat Feed — Api-Disclosure","version":"https://jsonfeed.org/version/1.1"}