{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-33354/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["AVideo"],"_cs_severities":["high"],"_cs_tags":["avideo","lfi","cve-2026-33354","webserver"],"_cs_type":"advisory","_cs_vendors":["WWBN"],"content_html":"\u003cp\u003eWWBN AVideo, an open-source video platform, is susceptible to an arbitrary local file read vulnerability (CVE-2026-33354) in versions up to and including 26.0. The vulnerability resides in the \u003ccode\u003ePOST /objects/aVideoEncoder.json.php\u003c/code\u003e endpoint, which processes \u003ccode\u003echunkFile\u003c/code\u003e parameters intended for handling staged upload chunks. However, the application fails to adequately restrict the file paths provided through this parameter. An authenticated user, with privileges to edit their own videos, can manipulate the \u003ccode\u003echunkFile\u003c/code\u003e parameter to specify arbitrary local file paths. The application's \u003ccode\u003eisValidURLOrPath()\u003c/code\u003e helper function, designed to validate file paths, permits access to files within broad server directories such as \u003ccode\u003e/var/www/\u003c/code\u003e, the application root, cache, \u003ccode\u003etmp\u003c/code\u003e, and \u003ccode\u003evideos\u003c/code\u003e, effectively bypassing security measures and enabling unauthorized file access. This vulnerability allows an attacker to read sensitive files from the server, potentially exposing configuration details, database credentials, or other confidential information. A patch addressing this issue is available in commit 59bbd601a3f65a5b18c1d9e4eb11471c0a59214f.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to the AVideo platform with a valid user account that has permission to edit videos.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a target file on the server they wish to read (e.g., \u003ccode\u003e/var/www/avideo/configuration.php\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a \u003ccode\u003ePOST\u003c/code\u003e request to \u003ccode\u003e/objects/aVideoEncoder.json.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eIn the \u003ccode\u003ePOST\u003c/code\u003e request body, the attacker sets the \u003ccode\u003echunkFile\u003c/code\u003e parameter to the absolute path of the target file (e.g., \u003ccode\u003echunkFile=/var/www/avideo/configuration.php\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe AVideo application receives the request and calls \u003ccode\u003eisValidURLOrPath()\u003c/code\u003e on the supplied \u003ccode\u003echunkFile\u003c/code\u003e value.\u003c/li\u003e\n\u003cli\u003eSince the path is within allowed directories and is not a \u003ccode\u003e.php\u003c/code\u003e file, \u003ccode\u003eisValidURLOrPath()\u003c/code\u003e returns true.\u003c/li\u003e\n\u003cli\u003eThe application copies the content of the target file to the attacker's public video storage path.\u003c/li\u003e\n\u003cli\u003eThe attacker accesses the copied file via HTTP from their video storage path.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-33354 allows an attacker to read arbitrary files from the AVideo server, potentially leading to the disclosure of sensitive information such as configuration files, database credentials, or source code. This information can be used to further compromise the server, escalate privileges, or gain unauthorized access to user data. The number of victims depends on the deployment size of the vulnerable AVideo platform. Sectors affected could include media, education, and any organization using AVideo for video hosting.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade AVideo to a version containing the patch from commit 59bbd601a3f65a5b18c1d9e4eb11471c0a59214f to remediate CVE-2026-33354.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect AVideo ChunkFile LFI Attempt\u0026quot; to your SIEM to detect exploitation attempts.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for \u003ccode\u003ePOST\u003c/code\u003e requests to \u003ccode\u003e/objects/aVideoEncoder.json.php\u003c/code\u003e with suspicious \u003ccode\u003echunkFile\u003c/code\u003e parameters referencing sensitive file paths.\u003c/li\u003e\n\u003cli\u003eImplement stricter input validation and sanitization for file paths used in file upload functionalities to prevent arbitrary file access.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-24T12:00:00Z","date_published":"2024-01-24T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-24-avideo-lfi/","summary":"WWBN AVideo versions up to 26.0 are vulnerable to an arbitrary local file read via the `chunkFile` parameter in the `POST /objects/aVideoEncoder.json.php` endpoint, allowing authenticated users to read sensitive server files.","title":"WWBN AVideo Arbitrary Local File Read Vulnerability (CVE-2026-33354)","url":"https://feed.craftedsignal.io/briefs/2024-01-24-avideo-lfi/"}],"language":"en","title":"CraftedSignal Threat Feed - Cve-2026-33354","version":"https://jsonfeed.org/version/1.1"}