<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Cve-2026-33354 - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/cve-2026-33354/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 24 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/cve-2026-33354/feed.xml" rel="self" type="application/rss+xml"/><item><title>WWBN AVideo Arbitrary Local File Read Vulnerability (CVE-2026-33354)</title><link>https://feed.craftedsignal.io/briefs/2024-01-24-avideo-lfi/</link><pubDate>Wed, 24 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-24-avideo-lfi/</guid><description>WWBN AVideo versions up to 26.0 are vulnerable to an arbitrary local file read via the `chunkFile` parameter in the `POST /objects/aVideoEncoder.json.php` endpoint, allowing authenticated users to read sensitive server files.</description><content:encoded><![CDATA[<p>WWBN AVideo, an open-source video platform, is susceptible to an arbitrary local file read vulnerability (CVE-2026-33354) in versions up to and including 26.0. The vulnerability resides in the <code>POST /objects/aVideoEncoder.json.php</code> endpoint, which processes <code>chunkFile</code> parameters intended for handling staged upload chunks. However, the application fails to adequately restrict the file paths provided through this parameter. An authenticated user, with privileges to edit their own videos, can manipulate the <code>chunkFile</code> parameter to specify arbitrary local file paths. The application's <code>isValidURLOrPath()</code> helper function, designed to validate file paths, permits access to files within broad server directories such as <code>/var/www/</code>, the application root, cache, <code>tmp</code>, and <code>videos</code>, effectively bypassing security measures and enabling unauthorized file access. This vulnerability allows an attacker to read sensitive files from the server, potentially exposing configuration details, database credentials, or other confidential information. A patch addressing this issue is available in commit 59bbd601a3f65a5b18c1d9e4eb11471c0a59214f.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker authenticates to the AVideo platform with a valid user account that has permission to edit videos.</li>
<li>The attacker identifies a target file on the server they wish to read (e.g., <code>/var/www/avideo/configuration.php</code>).</li>
<li>The attacker crafts a <code>POST</code> request to <code>/objects/aVideoEncoder.json.php</code>.</li>
<li>In the <code>POST</code> request body, the attacker sets the <code>chunkFile</code> parameter to the absolute path of the target file (e.g., <code>chunkFile=/var/www/avideo/configuration.php</code>).</li>
<li>The AVideo application receives the request and calls <code>isValidURLOrPath()</code> on the supplied <code>chunkFile</code> value.</li>
<li>Since the path is within allowed directories and is not a <code>.php</code> file, <code>isValidURLOrPath()</code> returns true.</li>
<li>The application copies the content of the target file to the attacker's public video storage path.</li>
<li>The attacker accesses the copied file via HTTP from their video storage path.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-33354 allows an attacker to read arbitrary files from the AVideo server, potentially leading to the disclosure of sensitive information such as configuration files, database credentials, or source code. This information can be used to further compromise the server, escalate privileges, or gain unauthorized access to user data. The number of victims depends on the deployment size of the vulnerable AVideo platform. Sectors affected could include media, education, and any organization using AVideo for video hosting.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade AVideo to a version containing the patch from commit 59bbd601a3f65a5b18c1d9e4eb11471c0a59214f to remediate CVE-2026-33354.</li>
<li>Deploy the Sigma rule &quot;Detect AVideo ChunkFile LFI Attempt&quot; to your SIEM to detect exploitation attempts.</li>
<li>Monitor web server logs for <code>POST</code> requests to <code>/objects/aVideoEncoder.json.php</code> with suspicious <code>chunkFile</code> parameters referencing sensitive file paths.</li>
<li>Implement stricter input validation and sanitization for file paths used in file upload functionalities to prevent arbitrary file access.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>avideo</category><category>lfi</category><category>cve-2026-33354</category><category>webserver</category></item></channel></rss>