<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Cve-2026-33352 - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/cve-2026-33352/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 24 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/cve-2026-33352/feed.xml" rel="self" type="application/rss+xml"/><item><title>AVideo Platform Unauthenticated SQL Injection Vulnerability</title><link>https://feed.craftedsignal.io/briefs/2024-01-avideo-sqli/</link><pubDate>Wed, 24 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-avideo-sqli/</guid><description>AVideo platform versions before 26.0 are vulnerable to unauthenticated SQL injection via the getAllCategories() method in objects/category.php due to insufficient sanitization of the doNotShowCats parameter, potentially leading to arbitrary code execution.</description><content:encoded><![CDATA[<p>WWBN AVideo, an open-source video platform, is susceptible to an unauthenticated SQL injection vulnerability affecting versions prior to 26.0. Specifically, the vulnerability resides within the <code>getAllCategories()</code> method located in the <code>objects/category.php</code> file. The <code>doNotShowCats</code> request parameter, intended to filter categories, undergoes insufficient sanitization, merely stripping single quotes. Attackers can bypass this weak protection using backslash escape techniques, manipulating SQL string boundaries to inject malicious code. The application's global input filters, managed within <code>objects/security.php</code>, do not adequately cover this parameter, further exacerbating the risk. AVideo version 26.0 addresses this critical flaw with a patch. Successful exploitation allows attackers to execute arbitrary SQL queries, potentially compromising the entire application and its underlying data.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker identifies an AVideo instance running a version prior to 26.0.</li>
<li>The attacker crafts a malicious HTTP request targeting the <code>objects/category.php</code> endpoint.</li>
<li>The crafted request includes the <code>doNotShowCats</code> parameter containing SQL injection payload with backslash escapes to bypass sanitization (e.g., <code>\'</code>).</li>
<li>The AVideo server receives the request and passes the unsanitized <code>doNotShowCats</code> parameter to the <code>getAllCategories()</code> method.</li>
<li>The application constructs a SQL query using the attacker-controlled input without proper escaping.</li>
<li>The injected SQL code is executed against the AVideo database.</li>
<li>The attacker can potentially read sensitive database information, modify data, or execute arbitrary operating system commands via SQL injection.</li>
<li>The attacker achieves complete compromise of the AVideo platform, potentially exfiltrating data or using the compromised server for further malicious activities.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this SQL injection vulnerability allows unauthenticated attackers to execute arbitrary SQL queries on the AVideo platform's database. This could lead to the disclosure of sensitive information, modification or deletion of data, or even complete compromise of the server. The CVSS v3.1 base score of 9.8 reflects the high severity of this vulnerability. Organizations using vulnerable versions of AVideo are at risk of data breaches, service disruption, and potential legal repercussions.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Immediately upgrade AVideo instances to version 26.0 or later to patch CVE-2026-33352.</li>
<li>Implement a web application firewall (WAF) rule to detect and block SQL injection attempts targeting the <code>doNotShowCats</code> parameter in <code>objects/category.php</code>.</li>
<li>Deploy the Sigma rule provided below to your SIEM to detect exploitation attempts based on HTTP request patterns.</li>
<li>Review and enhance input validation and sanitization routines within the AVideo application, paying close attention to user-supplied parameters used in SQL queries.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>avideo</category><category>sqli</category><category>cve-2026-33352</category><category>webserver</category></item></channel></rss>