{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-33492/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["AVideo"],"_cs_severities":["high"],"_cs_tags":["cve-2026-33492","avideo","session-fixation","web-application"],"_cs_type":"advisory","_cs_vendors":["AVideo"],"content_html":"\u003cp\u003eAVideo, an open-source video platform, is vulnerable to a session fixation attack (CVE-2026-33492) in versions up to and including 26.0. The vulnerability stems from the \u003ccode\u003e_session_start()\u003c/code\u003e function, which improperly accepts arbitrary session IDs via the \u003ccode\u003ePHPSESSID\u003c/code\u003e GET parameter. Furthermore, session regeneration is bypassed for specific blacklisted endpoints when the request originates from the same domain. Critically, the \u003ccode\u003eUser::login()\u003c/code\u003e function explicitly disables session regeneration. This combination allows an attacker to set a victim's session ID before they authenticate, and subsequently hijack their authenticated session. This is a critical vulnerability as it can lead to complete account takeover. A patch is available in commit 5647a94d79bf69a972a86653fe02144079948785.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable AVideo instance (version 26.0 or earlier).\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious link or uses another method to send the victim a URL to the AVideo site that includes a \u003ccode\u003ePHPSESSID\u003c/code\u003e parameter with a session ID controlled by the attacker (e.g., \u003ccode\u003ehttps://example.com/?PHPSESSID=attacker_session_id\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe victim clicks the link and their browser sets the \u003ccode\u003ePHPSESSID\u003c/code\u003e cookie to the attacker-controlled value. The AVideo server starts a PHP session using the provided session ID.\u003c/li\u003e\n\u003cli\u003eThe victim logs into the AVideo platform. The \u003ccode\u003eUser::login()\u003c/code\u003e function, due to the vulnerability, does not regenerate the session ID upon successful authentication.\u003c/li\u003e\n\u003cli\u003eThe victim's authenticated session continues to use the attacker-controlled \u003ccode\u003ePHPSESSID\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the same \u003ccode\u003ePHPSESSID\u003c/code\u003e value in their own browser to access the AVideo site.\u003c/li\u003e\n\u003cli\u003eThe AVideo server authenticates the attacker as the victim because the session ID matches the victim's authenticated session.\u003c/li\u003e\n\u003cli\u003eThe attacker now has complete access to the victim's account, including their videos, personal information, and administrative privileges if applicable.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to completely take over a user's account on the AVideo platform. This could lead to unauthorized access to sensitive video content, modification or deletion of videos, defacement of the platform, or further attacks leveraging the compromised account. The number of potential victims depends on the number of vulnerable AVideo instances and their user base, but the impact is significant for each compromised account.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch available in commit 5647a94d79bf69a972a86653fe02144079948785 to remediate the session fixation vulnerability.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect AVideo Session Fixation Attempt via PHPSESSID GET Parameter\u003c/code\u003e to identify potential exploitation attempts (Sigma rule).\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests containing the \u003ccode\u003ePHPSESSID\u003c/code\u003e parameter in the query string to identify potential session fixation attempts (webserver logs).\u003c/li\u003e\n\u003cli\u003eConsider implementing a web application firewall (WAF) rule to block requests containing the \u003ccode\u003ePHPSESSID\u003c/code\u003e parameter in the query string (webserver logs).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-02-avideo-session-fixation/","summary":"AVideo versions 26.0 and earlier are vulnerable to session fixation due to accepting arbitrary session IDs via the `PHPSESSID` GET parameter and disabled session regeneration, allowing attackers to hijack authenticated sessions.","title":"AVideo Session Fixation Vulnerability (CVE-2026-33492)","url":"https://feed.craftedsignal.io/briefs/2024-01-02-avideo-session-fixation/"}],"language":"en","title":"CraftedSignal Threat Feed - Cve-2026-33492","version":"https://jsonfeed.org/version/1.1"}