{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-33480/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["AVideo"],"_cs_severities":["critical"],"_cs_tags":["ssrf","avideo","cve-2026-33480","webserver"],"_cs_type":"advisory","_cs_vendors":["AVideo"],"content_html":"\u003cp\u003eAVideo, an open-source video platform, is vulnerable to a Server-Side Request Forgery (SSRF) attack. Specifically, versions up to and including 26.0 contain a flaw in the \u003ccode\u003eisSSRFSafeURL()\u003c/code\u003e function. This function, intended to prevent SSRF attacks, can be bypassed using IPv4-mapped IPv6 addresses (e.g., \u003ccode\u003e::ffff:x.x.x.x\u003c/code\u003e). The vulnerability is located in the \u003ccode\u003eplugin/LiveLinks/proxy.php\u003c/code\u003e endpoint, which lacks proper authentication. An attacker can exploit this to make arbitrary HTTP requests to internal resources, cloud metadata endpoints, and localhost services. This issue was addressed in commit 75ce8a579a58c9d4c7aafe453fbced002cb8f373. The CVSS v3.1 score is 8.6, indicating a high level of severity.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies an AVideo instance running a vulnerable version (\u0026lt;= 26.0).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious URL using an IPv4-mapped IPv6 address, such as \u003ccode\u003e::ffff:127.0.0.1\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker sends an HTTP request to the \u003ccode\u003eplugin/LiveLinks/proxy.php\u003c/code\u003e endpoint, providing the malicious URL as a parameter.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eisSSRFSafeURL()\u003c/code\u003e function fails to properly validate the IPv4-mapped IPv6 address.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eproxy.php\u003c/code\u003e script uses curl (or a similar function) to fetch the content from the attacker-controlled URL.\u003c/li\u003e\n\u003cli\u003eThe curl request is sent to the target specified within the IPv6-mapped address (e.g., localhost).\u003c/li\u003e\n\u003cli\u003eThe attacker gains access to sensitive information from internal services, cloud metadata, or localhost.\u003c/li\u003e\n\u003cli\u003eThe attacker may further exploit accessed services or exfiltrate data depending on the internal resources exposed.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SSRF vulnerability allows unauthenticated attackers to read sensitive information from internal services, cloud metadata endpoints, and localhost services. This can lead to the disclosure of API keys, configuration files, internal network layouts, and potentially allow further exploitation of other internal systems. The lack of authentication on the affected endpoint greatly increases the potential for widespread abuse, particularly in cloud environments where metadata services are readily accessible.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch from commit 75ce8a579a58c9d4c7aafe453fbced002cb8f373 to remediate CVE-2026-33480.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests to the \u003ccode\u003eplugin/LiveLinks/proxy.php\u003c/code\u003e endpoint containing IPv4-mapped IPv6 addresses using the provided Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation and firewall rules to restrict access from the AVideo server to internal resources to mitigate the impact of successful SSRF attacks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-16T12:00:00Z","date_published":"2024-01-16T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-16-avideo-ssrf/","summary":"AVideo versions up to 26.0 are vulnerable to server-side request forgery (SSRF) due to a bypass in the `isSSRFSafeURL()` function, allowing unauthenticated attackers to access internal resources.","title":"AVideo SSRF Vulnerability via IPv4-Mapped IPv6 Bypass (CVE-2026-33480)","url":"https://feed.craftedsignal.io/briefs/2024-01-16-avideo-ssrf/"}],"language":"en","title":"CraftedSignal Threat Feed - Cve-2026-33480","version":"https://jsonfeed.org/version/1.1"}