{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-33292/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["AVideo"],"_cs_severities":["high"],"_cs_tags":["avideo","path-traversal","cve-2026-33292","webserver"],"_cs_type":"advisory","_cs_vendors":["WWBN"],"content_html":"\u003cp\u003eWWBN AVideo, an open-source video platform, is susceptible to a path traversal vulnerability in versions prior to 26.0. The vulnerability, identified as CVE-2026-33292, resides within the HLS streaming endpoint (\u003ccode\u003eview/hls.php\u003c/code\u003e). An unauthenticated attacker can exploit this flaw to bypass authorization checks and stream private or paid videos without proper credentials. The root cause lies in the inconsistent handling of the \u003ccode\u003evideoDirectory\u003c/code\u003e GET parameter, where authorization checks truncate the path while file access preserves traversal sequences (\u0026quot;../\u0026quot;), creating a split-oracle condition. Successful exploitation grants unauthorized access to restricted content, potentially leading to data leakage and financial losses for content creators and platform owners. The vulnerability was patched in version 26.0.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP GET request targeting the \u003ccode\u003eview/hls.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe request includes the \u003ccode\u003evideoDirectory\u003c/code\u003e parameter with a path traversal sequence (e.g., \u003ccode\u003e../../private_video\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe authorization check truncates the \u003ccode\u003evideoDirectory\u003c/code\u003e parameter at the first \u003ccode\u003e/\u003c/code\u003e, effectively validating against a different, potentially public, video.\u003c/li\u003e\n\u003cli\u003eThe file access mechanism uses the original, untruncated \u003ccode\u003evideoDirectory\u003c/code\u003e parameter, resolving the path with traversal sequences.\u003c/li\u003e\n\u003cli\u003eThe server retrieves the content from the specified private video file based on the manipulated path.\u003c/li\u003e\n\u003cli\u003eThe server streams the content of the unauthorized video back to the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to private or paid video content.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-33292 allows unauthenticated attackers to bypass access controls and stream private or paid videos on vulnerable AVideo platforms. This can lead to unauthorized access to sensitive content, financial losses for content creators who rely on paid subscriptions, and reputational damage for the platform. The number of affected AVideo installations is currently unknown, but any instance running a version prior to 26.0 is potentially vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade AVideo installations to version 26.0 or later to patch CVE-2026-33292.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eAVideo HLS Path Traversal Attempt\u003c/code\u003e to detect exploitation attempts against the vulnerable endpoint.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests to \u003ccode\u003eview/hls.php\u003c/code\u003e containing path traversal sequences in the \u003ccode\u003evideoDirectory\u003c/code\u003e parameter to identify potential attacks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-24T12:00:00Z","date_published":"2024-01-24T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-avideo-path-traversal/","summary":"AVideo versions before 26.0 are vulnerable to an unauthenticated path traversal attack via the HLS streaming endpoint, allowing unauthorized access to private or paid videos by manipulating the `videoDirectory` GET parameter due to inconsistent path handling.","title":"AVideo HLS Path Traversal Vulnerability (CVE-2026-33292)","url":"https://feed.craftedsignal.io/briefs/2024-01-avideo-path-traversal/"}],"language":"en","title":"CraftedSignal Threat Feed - Cve-2026-33292","version":"https://jsonfeed.org/version/1.1"}