<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Cve-2026-33492 - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/cve-2026-33492/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 02 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/cve-2026-33492/feed.xml" rel="self" type="application/rss+xml"/><item><title>AVideo Session Fixation Vulnerability (CVE-2026-33492)</title><link>https://feed.craftedsignal.io/briefs/2024-01-02-avideo-session-fixation/</link><pubDate>Tue, 02 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-02-avideo-session-fixation/</guid><description>AVideo versions 26.0 and earlier are vulnerable to session fixation due to accepting arbitrary session IDs via the `PHPSESSID` GET parameter and disabled session regeneration, allowing attackers to hijack authenticated sessions.</description><content:encoded><![CDATA[<p>AVideo, an open-source video platform, is vulnerable to a session fixation attack (CVE-2026-33492) in versions up to and including 26.0. The vulnerability stems from the <code>_session_start()</code> function, which improperly accepts arbitrary session IDs via the <code>PHPSESSID</code> GET parameter. Furthermore, session regeneration is bypassed for specific blacklisted endpoints when the request originates from the same domain. Critically, the <code>User::login()</code> function explicitly disables session regeneration. This combination allows an attacker to set a victim's session ID before they authenticate, and subsequently hijack their authenticated session. This is a critical vulnerability as it can lead to complete account takeover. A patch is available in commit 5647a94d79bf69a972a86653fe02144079948785.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker identifies a vulnerable AVideo instance (version 26.0 or earlier).</li>
<li>Attacker crafts a malicious link or uses another method to send the victim a URL to the AVideo site that includes a <code>PHPSESSID</code> parameter with a session ID controlled by the attacker (e.g., <code>https://example.com/?PHPSESSID=attacker_session_id</code>).</li>
<li>The victim clicks the link and their browser sets the <code>PHPSESSID</code> cookie to the attacker-controlled value. The AVideo server starts a PHP session using the provided session ID.</li>
<li>The victim logs into the AVideo platform. The <code>User::login()</code> function, due to the vulnerability, does not regenerate the session ID upon successful authentication.</li>
<li>The victim's authenticated session continues to use the attacker-controlled <code>PHPSESSID</code>.</li>
<li>The attacker uses the same <code>PHPSESSID</code> value in their own browser to access the AVideo site.</li>
<li>The AVideo server authenticates the attacker as the victim because the session ID matches the victim's authenticated session.</li>
<li>The attacker now has complete access to the victim's account, including their videos, personal information, and administrative privileges if applicable.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this vulnerability allows an attacker to completely take over a user's account on the AVideo platform. This could lead to unauthorized access to sensitive video content, modification or deletion of videos, defacement of the platform, or further attacks leveraging the compromised account. The number of potential victims depends on the number of vulnerable AVideo instances and their user base, but the impact is significant for each compromised account.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Apply the patch available in commit 5647a94d79bf69a972a86653fe02144079948785 to remediate the session fixation vulnerability.</li>
<li>Deploy the Sigma rule <code>Detect AVideo Session Fixation Attempt via PHPSESSID GET Parameter</code> to identify potential exploitation attempts (Sigma rule).</li>
<li>Monitor web server logs for requests containing the <code>PHPSESSID</code> parameter in the query string to identify potential session fixation attempts (webserver logs).</li>
<li>Consider implementing a web application firewall (WAF) rule to block requests containing the <code>PHPSESSID</code> parameter in the query string (webserver logs).</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>cve-2026-33492</category><category>avideo</category><category>session-fixation</category><category>web-application</category></item></channel></rss>