{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-33352/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["AVideo"],"_cs_severities":["critical"],"_cs_tags":["avideo","sqli","cve-2026-33352","webserver"],"_cs_type":"advisory","_cs_vendors":["WWBN"],"content_html":"\u003cp\u003eWWBN AVideo, an open-source video platform, is susceptible to an unauthenticated SQL injection vulnerability affecting versions prior to 26.0. Specifically, the vulnerability resides within the \u003ccode\u003egetAllCategories()\u003c/code\u003e method located in the \u003ccode\u003eobjects/category.php\u003c/code\u003e file. The \u003ccode\u003edoNotShowCats\u003c/code\u003e request parameter, intended to filter categories, undergoes insufficient sanitization, merely stripping single quotes. Attackers can bypass this weak protection using backslash escape techniques, manipulating SQL string boundaries to inject malicious code. The application's global input filters, managed within \u003ccode\u003eobjects/security.php\u003c/code\u003e, do not adequately cover this parameter, further exacerbating the risk. AVideo version 26.0 addresses this critical flaw with a patch. Successful exploitation allows attackers to execute arbitrary SQL queries, potentially compromising the entire application and its underlying data.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies an AVideo instance running a version prior to 26.0.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003eobjects/category.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes the \u003ccode\u003edoNotShowCats\u003c/code\u003e parameter containing SQL injection payload with backslash escapes to bypass sanitization (e.g., \u003ccode\u003e\\'\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe AVideo server receives the request and passes the unsanitized \u003ccode\u003edoNotShowCats\u003c/code\u003e parameter to the \u003ccode\u003egetAllCategories()\u003c/code\u003e method.\u003c/li\u003e\n\u003cli\u003eThe application constructs a SQL query using the attacker-controlled input without proper escaping.\u003c/li\u003e\n\u003cli\u003eThe injected SQL code is executed against the AVideo database.\u003c/li\u003e\n\u003cli\u003eThe attacker can potentially read sensitive database information, modify data, or execute arbitrary operating system commands via SQL injection.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves complete compromise of the AVideo platform, potentially exfiltrating data or using the compromised server for further malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL injection vulnerability allows unauthenticated attackers to execute arbitrary SQL queries on the AVideo platform's database. This could lead to the disclosure of sensitive information, modification or deletion of data, or even complete compromise of the server. The CVSS v3.1 base score of 9.8 reflects the high severity of this vulnerability. Organizations using vulnerable versions of AVideo are at risk of data breaches, service disruption, and potential legal repercussions.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade AVideo instances to version 26.0 or later to patch CVE-2026-33352.\u003c/li\u003e\n\u003cli\u003eImplement a web application firewall (WAF) rule to detect and block SQL injection attempts targeting the \u003ccode\u003edoNotShowCats\u003c/code\u003e parameter in \u003ccode\u003eobjects/category.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided below to your SIEM to detect exploitation attempts based on HTTP request patterns.\u003c/li\u003e\n\u003cli\u003eReview and enhance input validation and sanitization routines within the AVideo application, paying close attention to user-supplied parameters used in SQL queries.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-24T12:00:00Z","date_published":"2024-01-24T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-avideo-sqli/","summary":"AVideo platform versions before 26.0 are vulnerable to unauthenticated SQL injection via the getAllCategories() method in objects/category.php due to insufficient sanitization of the doNotShowCats parameter, potentially leading to arbitrary code execution.","title":"AVideo Platform Unauthenticated SQL Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-avideo-sqli/"}],"language":"en","title":"CraftedSignal Threat Feed - Cve-2026-33352","version":"https://jsonfeed.org/version/1.1"}