{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-33351/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["AVideo"],"_cs_severities":["critical"],"_cs_tags":["ssrf","avideo","cve-2026-33351"],"_cs_type":"advisory","_cs_vendors":["WWBN"],"content_html":"\u003cp\u003eA Server-Side Request Forgery (SSRF) vulnerability has been identified in WWBN AVideo, an open-source video platform. The vulnerability, tracked as CVE-2026-33351, affects versions prior to 26.0. Specifically, the issue resides within the \u003ccode\u003eplugin/Live/standAloneFiles/saveDVR.json.php\u003c/code\u003e script. The vulnerability occurs when the AVideo Live plugin is deployed in standalone mode, where the \u003ccode\u003e$_REQUEST['webSiteRootURL']\u003c/code\u003e parameter is directly used to construct a URL. The server then fetches this URL using \u003ccode\u003efile_get_contents()\u003c/code\u003e without proper authentication, origin validation, or URL allowlisting. Successful exploitation allows unauthenticated attackers to force the AVideo server to make arbitrary HTTP requests to internal or external resources, potentially leading to information disclosure, internal service compromise, or denial-of-service. Version 26.0 contains a patch for this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable AVideo instance running a version prior to 26.0 with the Live plugin enabled in standalone mode.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003esaveDVR.json.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe malicious request includes the \u003ccode\u003ewebSiteRootURL\u003c/code\u003e parameter, setting it to a URL controlled by the attacker (e.g., an internal service or an external server).\u003c/li\u003e\n\u003cli\u003eThe AVideo server receives the request and passes the attacker-controlled URL to the \u003ccode\u003efile_get_contents()\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003efile_get_contents()\u003c/code\u003e function makes an HTTP request to the attacker-specified URL from the AVideo server.\u003c/li\u003e\n\u003cli\u003eIf the attacker specified an internal service, the AVideo server may inadvertently expose sensitive information or trigger unintended actions on the internal service.\u003c/li\u003e\n\u003cli\u003eIf the attacker specified an external server, the AVideo server sends an HTTP request to the attacker-controlled server.\u003c/li\u003e\n\u003cli\u003eThe attacker-controlled server receives the request, potentially revealing the AVideo server's IP address and allowing the attacker to perform further reconnaissance or launch attacks against other internal systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SSRF vulnerability (CVE-2026-33351) could allow an unauthenticated attacker to probe internal network resources, potentially leading to the discovery of sensitive information or the compromise of other internal services. An attacker could also use the AVideo server as a proxy to make requests to external services, masking their origin and potentially bypassing security controls. While the number of affected AVideo instances is unknown, organizations using versions prior to 26.0 are at risk. The impact can range from information disclosure to a full compromise of the AVideo server and potentially other internal resources.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade WWBN AVideo to version 26.0 or later to patch the SSRF vulnerability (CVE-2026-33351).\u003c/li\u003e\n\u003cli\u003eImplement a web application firewall (WAF) rule to filter requests to \u003ccode\u003eplugin/Live/standAloneFiles/saveDVR.json.php\u003c/code\u003e that contain suspicious URLs in the \u003ccode\u003ewebSiteRootURL\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided below to detect attempts to exploit the SSRF vulnerability by monitoring HTTP requests to the vulnerable endpoint with suspicious \u003ccode\u003ewebSiteRootURL\u003c/code\u003e parameters.\u003c/li\u003e\n\u003cli\u003eIf upgrading is not immediately possible, consider disabling the Live plugin or restricting access to the \u003ccode\u003esaveDVR.json.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-02-avideo-ssrf/","summary":"WWBN AVideo versions prior to 26.0 are vulnerable to Server-Side Request Forgery (SSRF) via the `webSiteRootURL` parameter in `saveDVR.json.php`, allowing unauthenticated attackers to make arbitrary HTTP requests from the server.","title":"WWBN AVideo Server-Side Request Forgery (SSRF) Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-02-avideo-ssrf/"}],"language":"en","title":"CraftedSignal Threat Feed - Cve-2026-33351","version":"https://jsonfeed.org/version/1.1"}