<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Cve-2026-33485 - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/cve-2026-33485/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 30 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/cve-2026-33485/feed.xml" rel="self" type="application/rss+xml"/><item><title>WWBN AVideo Unauthenticated SQL Injection Vulnerability (CVE-2026-33485)</title><link>https://feed.craftedsignal.io/briefs/2024-01-30-avideo-sqli/</link><pubDate>Tue, 30 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-30-avideo-sqli/</guid><description>WWBN AVideo versions up to 26.0 are vulnerable to unauthenticated SQL injection via the RTMP `on_publish` callback, allowing attackers to extract sensitive database information.</description><content:encoded><![CDATA[<p>WWBN AVideo, an open-source video platform, is vulnerable to a critical SQL injection flaw. Specifically, versions up to and including 26.0 are affected. The vulnerability resides in the RTMP <code>on_publish</code> callback, located at <code>plugin/Live/on_publish.php</code>, which is accessible without authentication. The <code>$_POST['name']</code> parameter, representing the stream key, is directly embedded into SQL queries within <code>LiveTransmitionHistory::getLatest()</code> and <code>LiveTransmition::keyExists()</code>. This direct interpolation, without proper sanitization or parameterized binding, allows an unauthenticated attacker to perform time-based blind SQL injection. Successful exploitation enables the attacker to extract the entire database content, potentially including user password hashes, email addresses, and other sensitive data. This vulnerability poses a significant risk to AVideo installations, potentially leading to data breaches and unauthorized access. A patch is available in commit af59eade82de645b20183cc3d74467a7eac76549.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An unauthenticated attacker sends a crafted RTMP <code>on_publish</code> request to the <code>/plugin/Live/on_publish.php</code> endpoint.</li>
<li>The request includes a malicious <code>$_POST['name']</code> parameter containing SQL injection payload.</li>
<li>The AVideo application receives the request and processes the <code>on_publish</code> callback.</li>
<li>The application calls <code>LiveTransmitionHistory::getLatest()</code> and <code>LiveTransmition::keyExists()</code>, passing the unsanitized <code>$_POST['name']</code> parameter.</li>
<li>The <code>$_POST['name']</code> parameter is directly interpolated into SQL queries executed against the AVideo database.</li>
<li>The attacker uses time-based blind SQL injection techniques to extract data bit-by-bit by observing the response time.</li>
<li>The attacker retrieves sensitive data such as user credentials (password hashes), email addresses, and other database contents.</li>
<li>The attacker uses the extracted credentials to gain unauthorized access to user accounts or the AVideo system.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-33485 allows an unauthenticated attacker to extract the entire database content from vulnerable AVideo instances. This includes sensitive information such as user credentials (password hashes), email addresses, and potentially other confidential data stored within the database. The impact could range from unauthorized access to user accounts to a complete data breach, depending on the database contents. The number of affected AVideo installations is unknown, but the widespread use of the platform suggests a potentially large number of vulnerable systems. The lack of authentication required for exploitation makes this vulnerability particularly dangerous.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Apply the patch provided in commit af59eade82de645b20183cc3d74467a7eac76549 or upgrade to a version of AVideo that includes this fix to remediate CVE-2026-33485.</li>
<li>Deploy the provided Sigma rule &quot;Detect AVideo Unauthenticated SQL Injection Attempt&quot; to identify potential exploitation attempts against the <code>/plugin/Live/on_publish.php</code> endpoint.</li>
<li>Implement a Web Application Firewall (WAF) rule to filter out malicious requests to <code>/plugin/Live/on_publish.php</code> containing suspicious SQL injection payloads in the <code>$_POST['name']</code> parameter.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>avideo</category><category>sqli</category><category>unauthenticated</category><category>cve-2026-33485</category></item></channel></rss>