{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/avideo/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["AVideo"],"_cs_severities":["critical"],"_cs_tags":["avideo","command-injection","cve-2026-33482","webserver"],"_cs_type":"advisory","_cs_vendors":["AVideo"],"content_html":"\u003cp\u003eAVideo, an open-source video platform, contains an OS command injection vulnerability (CVE-2026-33482) affecting versions up to and including 26.0. The vulnerability resides within the \u003ccode\u003esanitizeFFmpegCommand()\u003c/code\u003e function located in \u003ccode\u003eplugin/API/standAlone/functions.php\u003c/code\u003e. This function is intended to prevent OS command injection in ffmpeg commands by stripping dangerous shell metacharacters. However, it fails to properly sanitize the \u003ccode\u003e$()\u003c/code\u003e bash command substitution syntax. This oversight allows attackers who can craft a valid encrypted payload to achieve arbitrary command execution on the standalone encoder server due to the use of \u003ccode\u003esh -c\u003c/code\u003e within \u003ccode\u003eexecAsync()\u003c/code\u003e. The vulnerability was patched in commit 25c8ab90269e3a01fb4cf205b40a373487f022e1. Exploitation requires the attacker to be able to craft a valid encrypted payload.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious encrypted payload containing a command injection payload leveraging the \u003ccode\u003e$()\u003c/code\u003e bash command substitution.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads or injects this payload into the AVideo platform.\u003c/li\u003e\n\u003cli\u003eAVideo processes the malicious payload, passing it to the \u003ccode\u003esanitizeFFmpegCommand()\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003esanitizeFFmpegCommand()\u003c/code\u003e function fails to properly sanitize the \u003ccode\u003e$()\u003c/code\u003e bash command substitution syntax within the payload.\u003c/li\u003e\n\u003cli\u003eThe unsanitized command is then executed within a double-quoted \u003ccode\u003esh -c\u003c/code\u003e context in the \u003ccode\u003eexecAsync()\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003esh -c\u003c/code\u003e interpreter executes the injected command, resulting in arbitrary code execution on the standalone encoder server.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of the server, potentially leading to data exfiltration, system compromise, or further lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to execute arbitrary commands on the AVideo standalone encoder server. This can lead to complete system compromise, including data exfiltration, modification, or deletion. Given the nature of AVideo as a video platform, attackers could also inject malicious content into videos served by the platform, potentially affecting a large number of users.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch from commit 25c8ab90269e3a01fb4cf205b40a373487f022e1 to remediate CVE-2026-33482.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect AVideo Command Injection Attempt\u0026quot; to detect potential exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests containing shell metacharacters, especially \u003ccode\u003e$()\u003c/code\u003e, targeting the \u003ccode\u003eplugin/API/standAlone/functions.php\u003c/code\u003e path.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-30T12:00:00Z","date_published":"2024-01-30T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-30-avideo-command-injection/","summary":"AVideo versions up to 26.0 are vulnerable to OS command injection due to insufficient sanitization of shell metacharacters in the `sanitizeFFmpegCommand()` function, potentially allowing arbitrary command execution.","title":"AVideo OS Command Injection Vulnerability (CVE-2026-33482)","url":"https://feed.craftedsignal.io/briefs/2024-01-30-avideo-command-injection/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["AVideo"],"_cs_severities":["high"],"_cs_tags":["avideo","authentication-bypass","payment-data-leak"],"_cs_type":"advisory","_cs_vendors":["AVideo"],"content_html":"\u003cp\u003eAVideo, a video sharing platform, contains a critical vulnerability affecting multiple payment plugins. The vulnerability stems from the lack of authentication checks on \u003ccode\u003elist.json.php\u003c/code\u003e endpoints, which expose sensitive payment transaction data. This oversight allows unauthenticated attackers to retrieve payment records from PayPal, Authorize.Net, and Bitcoin payment providers. The issue mirrors a previously patched vulnerability in the Scheduler plugin (GHSA-j724-5c6c-68g5) but was not consistently applied across all affected endpoints. A total of 21 \u003ccode\u003elist.json.php\u003c/code\u003e endpoints remain vulnerable. The affected version is \u0026lt;= 26.0. This vulnerability poses a significant threat to AVideo users, potentially leading to financial data theft and unauthorized access to sensitive information.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a vulnerable AVideo instance.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a GET request to a vulnerable \u003ccode\u003elist.json.php\u003c/code\u003e endpoint, such as \u003ccode\u003eplugin/PayPalYPT/View/PayPalYPT_log/list.json.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe AVideo server processes the request without authentication and executes the associated PHP script.\u003c/li\u003e\n\u003cli\u003eThe script queries the database, retrieving all records from the corresponding table (e.g., \u003ccode\u003ePayPalYPT_log\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe server returns a JSON-encoded response containing the retrieved data, including sensitive payment information.\u003c/li\u003e\n\u003cli\u003eThe attacker parses the JSON response to extract PayPal agreement IDs, Express Checkout tokens, Authorize.Net webhook payloads, or Bitcoin transaction details.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the extracted tokens or payment information for malicious purposes, such as payment manipulation or account correlation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability leads to significant data exposure. Attackers can retrieve all payment transaction records across PayPal, Authorize.Net, and Bitcoin payment providers. This includes sensitive data such as PayPal Express Checkout tokens and billing agreement IDs, potentially enabling payment manipulation or account correlation. Transaction records contain user ID mappings, payment amounts, and full API responses that may include payer email addresses and names. The scope is broad, affecting 21 \u003ccode\u003elist.json.php\u003c/code\u003e endpoints, also exposing live streaming server infrastructure and user connection data. No authentication or user interaction is required.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the provided code snippet to all unprotected \u003ccode\u003elist.json.php\u003c/code\u003e endpoints to enforce authentication checks using \u003ccode\u003eUser::isAdmin()\u003c/code\u003e as detailed in the advisory's recommended fix.\u003c/li\u003e\n\u003cli\u003eMonitor web server access logs for requests to \u003ccode\u003elist.json.php\u003c/code\u003e endpoints located within AVideo plugin directories using the rule \u003ccode\u003eAVideo Unauthenticated Access to list.json.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eInspect network traffic for sensitive data being transmitted in cleartext from the vulnerable endpoints, such as PayPal tokens, using the rule \u003ccode\u003eAVideo Sensitive Data Exposure via Unauthenticated Endpoint\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-29T12:00:00Z","date_published":"2024-01-29T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-29-avideo-auth-bypass/","summary":"AVideo is vulnerable to unauthenticated access to multiple `list.json.php` endpoints due to missing authorization checks, allowing attackers to retrieve sensitive payment transaction records, including PayPal billing agreement IDs, Express Checkout tokens, Authorize.Net webhook payloads, and Bitcoin payment records, leading to financial data exposure and potential PII leakage.","title":"AVideo Unauthenticated Access to Payment Log DataTables Endpoints","url":"https://feed.craftedsignal.io/briefs/2024-01-29-avideo-auth-bypass/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["AVideo"],"_cs_severities":["high"],"_cs_tags":["avideo","cdn","configuration-modification","vulnerability"],"_cs_type":"advisory","_cs_vendors":["AVideo"],"content_html":"\u003cp\u003eAVideo, an open source video platform, contains a critical vulnerability (CVE-2026-33719) within its CDN plugin. Versions up to and including 26.0 are affected. The vulnerability stems from the endpoints \u003ccode\u003eplugin/CDN/status.json.php\u003c/code\u003e and \u003ccode\u003eplugin/CDN/disable.json.php\u003c/code\u003e using key-based authentication with an empty string as the default key. Critically, when the CDN plugin is enabled but the key remains at its default (empty) state, the authentication check is bypassed entirely. This allows any unauthenticated attacker to fully modify the CDN configuration through mass-assignment via the \u003ccode\u003epar\u003c/code\u003e request parameter. This includes the ability to manipulate CDN URLs, storage credentials, and even the authentication key itself. A patch has been released in commit adeff0a31ba04a56f411eef256139fd7ed7d4310. This is significant because it can lead to complete compromise of the video delivery infrastructure.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies an AVideo instance with the CDN plugin enabled.\u003c/li\u003e\n\u003cli\u003eThe attacker checks the CDN configuration by sending a GET request to \u003ccode\u003eplugin/CDN/status.json.php\u003c/code\u003e without any authentication headers to confirm if CDN plugin is enabled and running with default configuration.\u003c/li\u003e\n\u003cli\u003eIf the CDN key is the default empty string, the attacker crafts a malicious POST request to \u003ccode\u003eplugin/CDN/status.json.php\u003c/code\u003e or \u003ccode\u003eplugin/CDN/disable.json.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe POST request includes the \u003ccode\u003epar\u003c/code\u003e parameter containing a JSON object with modified CDN settings, such as CDN URLs and storage credentials.\u003c/li\u003e\n\u003cli\u003eDue to the bypassed authentication, the AVideo server processes the request and updates the CDN configuration.\u003c/li\u003e\n\u003cli\u003eThe attacker can modify the CDN URL to point to a malicious server hosting malware or phishing content.\u003c/li\u003e\n\u003cli\u003eLegitimate users requesting video content are redirected to the attacker's malicious CDN.\u003c/li\u003e\n\u003cli\u003eThe attacker can also steal storage credentials and compromise the CDN's data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-33719 allows an unauthenticated attacker to take complete control over the video delivery infrastructure. This can result in serving malicious content to users, data exfiltration from the CDN storage, or complete disruption of video services. The number of victims depends on the popularity of the affected AVideo instances. This vulnerability impacts any organization using AVideo with the CDN plugin enabled and the default configuration, including educational institutions, media companies, and content creators.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch from commit adeff0a31ba04a56f411eef256139fd7ed7d4310 or upgrade to a version of AVideo that includes this fix to remediate CVE-2026-33719.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM to detect potential exploitation attempts targeting the \u003ccode\u003eplugin/CDN/status.json.php\u003c/code\u003e and \u003ccode\u003eplugin/CDN/disable.json.php\u003c/code\u003e endpoints.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for POST requests to \u003ccode\u003eplugin/CDN/status.json.php\u003c/code\u003e or \u003ccode\u003eplugin/CDN/disable.json.php\u003c/code\u003e endpoints without proper authentication headers, as these may indicate an attempted exploit.\u003c/li\u003e\n\u003cli\u003eAs a temporary workaround, configure a strong, non-default key for the CDN plugin to prevent the authentication bypass.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-29T12:00:00Z","date_published":"2024-01-29T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-avideo-cdn-config-vuln/","summary":"AVideo is vulnerable to unauthenticated configuration modification in its CDN plugin due to a bypassed key validation check when the default empty key is used, allowing modification of CDN URLs, storage credentials, and the authentication key itself.","title":"AVideo CDN Plugin Unauthenticated Configuration Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-avideo-cdn-config-vuln/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["AVideo"],"_cs_severities":["high"],"_cs_tags":["avideo","cors","account-takeover","web-application"],"_cs_type":"advisory","_cs_vendors":["AVideo"],"content_html":"\u003cp\u003eAVideo, a video-sharing platform, contains a critical vulnerability in its CORS implementation. The \u003ccode\u003eallowOrigin($allowAll=true)\u003c/code\u003e function in \u003ccode\u003eobjects/functions.php\u003c/code\u003e unconditionally reflects the \u003ccode\u003eOrigin\u003c/code\u003e header, along with \u003ccode\u003eAccess-Control-Allow-Credentials: true\u003c/code\u003e, on the \u003ccode\u003eplugin/API/get.json.php\u003c/code\u003e and \u003ccode\u003eplugin/API/set.json.php\u003c/code\u003e endpoints. These API endpoints handle sensitive user data retrieval, authentication, and state-changing operations. Combined with the application's \u003ccode\u003eSameSite=None\u003c/code\u003e session cookie policy, this allows attackers to bypass CORS restrictions, enabling credentialed cross-origin requests. By hosting a malicious webpage, an attacker can steal user PII (email, name, address, phone number, birth date), livestream credentials, and perform unauthorized actions on behalf of a logged-in user. This vulnerability affects AVideo versions 29.0 and earlier. The issue was introduced due to an oversight in a previous fix (commit \u003ccode\u003e986e64aad\u003c/code\u003e) which addressed CORS handling for null origins but neglected the more dangerous \u003ccode\u003e$allowAll=true\u003c/code\u003e path.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a malicious HTML page hosted on a domain they control (e.g., \u003ccode\u003eattacker.example\u003c/code\u003e). This page contains JavaScript code designed to make a cross-origin request to the vulnerable AVideo instance.\u003c/li\u003e\n\u003cli\u003eA logged-in AVideo user visits the attacker's malicious page.\u003c/li\u003e\n\u003cli\u003eThe JavaScript on the attacker's page sends a credentialed GET request to the \u003ccode\u003ehttps://TARGET/plugin/API/get.json.php?APIName=user\u003c/code\u003e endpoint with \u003ccode\u003ecredentials: 'include'\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe AVideo server's \u003ccode\u003eallowOrigin\u003c/code\u003e function reflects the attacker's origin in the \u003ccode\u003eAccess-Control-Allow-Origin\u003c/code\u003e header, along with setting \u003ccode\u003eAccess-Control-Allow-Credentials: true\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker's JavaScript receives the API response containing the victim's sensitive data, including email, name, address, phone number, admin status, livestream server URL with embedded password, and encrypted stream key.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates the stolen data to their server (e.g., \u003ccode\u003ehttps://attacker.example/collect\u003c/code\u003e) using \u003ccode\u003enavigator.sendBeacon\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e(Optional) The attacker crafts further requests to \u003ccode\u003eset.json.php\u003c/code\u003e to perform actions on the victim's behalf, such as modifying video settings or other account-related configurations.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows an attacker to steal sensitive user data, including email, full name, address, phone number, and birth date, from any logged-in user who visits the attacker-controlled page. The attacker can also compromise user accounts by stealing livestream credentials, allowing them to hijack live streams. Exposure of admin status and permissions facilitates targeted attacks on privileged accounts. Furthermore, the attacker can perform state modifications on behalf of the victim through the \u003ccode\u003eset.json.php\u003c/code\u003e endpoint, potentially disrupting service or causing further damage. Due to the nature of the vulnerability, a single attacker page can harvest data from every logged-in visitor, leading to mass exploitation.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect AVideo API Access From Unknown Origins\u003c/code\u003e to identify requests to the vulnerable API endpoints originating from domains not explicitly allowed.\u003c/li\u003e\n\u003cli\u003eApply the recommended fix provided in the advisory by replacing the permissive origin reflection in the \u003ccode\u003eallowOrigin()\u003c/code\u003e function with proper validation against the site's configured domain.\u003c/li\u003e\n\u003cli\u003eAudit webserver logs for requests to \u003ccode\u003e/plugin/API/get.json.php\u003c/code\u003e and \u003ccode\u003e/plugin/API/set.json.php\u003c/code\u003e where the Origin header does not match the expected domain to identify potential exploitation attempts (reference IOC: vulnerable API endpoint).\u003c/li\u003e\n\u003cli\u003eConsider separating truly public endpoints from sensitive API endpoints with different CORS policies.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for connections to attacker-controlled domains like \u003ccode\u003eattacker.example\u003c/code\u003e (reference IOC: attacker controlled domain).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-26T18:21:00Z","date_published":"2024-01-26T18:21:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-26-avideo-cors/","summary":"The AVideo platform is vulnerable to CORS origin reflection, allowing attackers to steal user PII, livestream keys, and perform unauthorized actions by exploiting the permissive `allowOrigin` function on sensitive API endpoints.","title":"AVideo CORS Origin Reflection with Credentials Leads to Account Takeover","url":"https://feed.craftedsignal.io/briefs/2024-01-26-avideo-cors/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["AVideo"],"_cs_severities":["critical"],"_cs_tags":["CVE-2026-33647","RCE","File Upload","AVideo","Polyglot"],"_cs_type":"advisory","_cs_vendors":["AVideo"],"content_html":"\u003cp\u003eAVideo, an open-source video platform, is susceptible to remote code execution (RCE) in versions up to and including 26.0 due to a flaw in the \u003ccode\u003eImageGallery::saveFile()\u003c/code\u003e method. This vulnerability, identified as CVE-2026-33647, arises from the inadequate validation of uploaded files. Specifically, the system uses \u003ccode\u003efinfo\u003c/code\u003e for MIME type detection but relies on the user-supplied filename extension without proper sanitization. An attacker can leverage this weakness by crafting a polyglot file, embedding malicious PHP code within a seemingly benign JPEG image, and naming it with a \u003ccode\u003e.php\u003c/code\u003e extension. This bypasses the MIME type check, causing the file to be saved as an executable PHP file within a web-accessible directory. The vulnerability was patched in commit 345a8d3ece0ad1e1b71a704c1579cbf885d8f3ae. Successful exploitation grants the attacker the ability to execute arbitrary code on the AVideo server, leading to potential data breaches, system compromise, and service disruption.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies an AVideo instance running a vulnerable version (\u0026lt;= 26.0).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a polyglot file. This file is a valid JPEG image with PHP code appended. The file is named with a \u003ccode\u003e.php\u003c/code\u003e extension (e.g., \u003ccode\u003eevil.php\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker uses the AVideo web interface, specifically the image upload functionality within \u003ccode\u003eImageGallery::saveFile()\u003c/code\u003e, to upload the malicious \u003ccode\u003eevil.php\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eImageGallery::saveFile()\u003c/code\u003e method uses \u003ccode\u003efinfo\u003c/code\u003e to check the MIME type of the uploaded file. Because the file starts with JPEG magic bytes, it passes the MIME type check.\u003c/li\u003e\n\u003cli\u003eDue to the missing allowlist on the filename extension, the file is saved with the attacker-controlled \u003ccode\u003e.php\u003c/code\u003e extension.\u003c/li\u003e\n\u003cli\u003eThe file is saved in a web-accessible directory on the AVideo server.\u003c/li\u003e\n\u003cli\u003eThe attacker sends an HTTP request to the uploaded PHP file (e.g., \u003ccode\u003ehttps://avideo.example.com/uploads/evil.php\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe web server executes the PHP code embedded within the \u003ccode\u003eevil.php\u003c/code\u003e file, granting the attacker remote code execution on the server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-33647 allows an attacker to execute arbitrary code on the AVideo server. This can lead to a full system compromise, including the ability to read and modify sensitive data, install malware, pivot to other systems on the network, and disrupt service availability. The impact depends on the privileges of the web server process. Given the nature of video platforms, successful attacks can also lead to defacement and distribution of malicious content.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch from commit \u003ccode\u003e345a8d3ece0ad1e1b71a704c1579cbf885d8f3ae\u003c/code\u003e to remediate CVE-2026-33647 immediately.\u003c/li\u003e\n\u003cli\u003eImplement strict allowlisting for file extensions in the \u003ccode\u003eImageGallery::saveFile()\u003c/code\u003e method to prevent the upload of executable files.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect potential attempts to exploit CVE-2026-33647 by monitoring for the execution of PHP files within the web server's upload directories.\u003c/li\u003e\n\u003cli\u003eReview webserver logs for suspicious requests to PHP files in upload directories for potential exploitation attempts (log source: webserver).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-24T12:00:00Z","date_published":"2024-01-24T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-avideo-rce/","summary":"AVideo versions up to 26.0 are vulnerable to remote code execution (CVE-2026-33647) due to insufficient file validation in the `ImageGallery::saveFile()` method, allowing attackers to upload polyglot files with a `.php` extension to achieve code execution.","title":"AVideo Remote Code Execution via Polyglot File Upload (CVE-2026-33647)","url":"https://feed.craftedsignal.io/briefs/2024-01-avideo-rce/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["AVideo Platform"],"_cs_severities":["critical"],"_cs_tags":["avideo","authentication-bypass","cve-2026-33716"],"_cs_type":"advisory","_cs_vendors":["AVideo"],"content_html":"\u003cp\u003eAVideo, an open-source video platform, is vulnerable to an authentication bypass flaw affecting versions up to and including 26.0. The vulnerability resides in the \u003ccode\u003eplugin/Live/standAloneFiles/control.json.php\u003c/code\u003e endpoint, which handles live stream control. By manipulating the \u003ccode\u003estreamerURL\u003c/code\u003e parameter, a malicious actor can redirect token verification requests to a server under their control. This malicious server is designed to always return a positive authentication response (\u003ccode\u003e{\u0026quot;error\u0026quot;: false}\u003c/code\u003e), effectively bypassing the intended authentication process. This allows an unauthenticated attacker to take complete control over any live stream hosted on the platform. The vulnerability was patched in commit 388fcd57dbd16f6cb3ebcdf1d08cf2b929941128. This vulnerability poses a severe risk to AVideo platforms as it could lead to unauthorized modification or disruption of live streams.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies an AVideo platform running a vulnerable version (\u0026lt;= 26.0).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request targeting the \u003ccode\u003eplugin/Live/standAloneFiles/control.json.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eWithin the POST request, the attacker includes the \u003ccode\u003estreamerURL\u003c/code\u003e parameter, setting its value to a URL pointing to a server under their control.\u003c/li\u003e\n\u003cli\u003eThe attacker's server is configured to respond to any token verification request with a JSON response: \u003ccode\u003e{\u0026quot;error\u0026quot;: false}\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe AVideo platform, upon receiving the crafted request, sends a token verification request to the attacker-controlled \u003ccode\u003estreamerURL\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker's server responds with \u003ccode\u003e{\u0026quot;error\u0026quot;: false}\u003c/code\u003e, tricking the AVideo platform into believing the user is authenticated.\u003c/li\u003e\n\u003cli\u003eThe attacker can then use other parameters in the \u003ccode\u003econtrol.json.php\u003c/code\u003e endpoint to perform unauthorized actions on live streams, such as dropping active publishers.\u003c/li\u003e\n\u003cli\u003eThe attacker can also start/stop recordings or probe for the existence of live streams.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-33716 allows an unauthenticated attacker to gain full control over live streams on the affected AVideo platform. This can lead to various detrimental outcomes, including unauthorized termination of legitimate streams, injection of malicious content into live broadcasts, and disruption of service. The CVSS v3.1 base score for this vulnerability is 9.4, indicating a critical severity level. The number of affected AVideo platforms is unknown, but any instance running a version up to 26.0 is susceptible to this attack.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch from commit 388fcd57dbd16f6cb3ebcdf1d08cf2b929941128 to remediate CVE-2026-33716.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect exploitation attempts against the \u003ccode\u003eplugin/Live/standAloneFiles/control.json.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for POST requests to \u003ccode\u003eplugin/Live/standAloneFiles/control.json.php\u003c/code\u003e containing the \u003ccode\u003estreamerURL\u003c/code\u003e parameter.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-17T12:00:00Z","date_published":"2024-01-17T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-avideo-auth-bypass/","summary":"AVideo platform versions up to 26.0 are vulnerable to unauthenticated control of live streams due to manipulation of the `streamerURL` parameter in the `control.json.php` endpoint, enabling actions like dropping publishers or starting/stopping recordings.","title":"AVideo Platform Unauthenticated Live Stream Control via streamerURL Manipulation","url":"https://feed.craftedsignal.io/briefs/2024-01-avideo-auth-bypass/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["AVideo"],"_cs_severities":["critical"],"_cs_tags":["ssrf","avideo","cve-2026-33480","webserver"],"_cs_type":"advisory","_cs_vendors":["AVideo"],"content_html":"\u003cp\u003eAVideo, an open-source video platform, is vulnerable to a Server-Side Request Forgery (SSRF) attack. Specifically, versions up to and including 26.0 contain a flaw in the \u003ccode\u003eisSSRFSafeURL()\u003c/code\u003e function. This function, intended to prevent SSRF attacks, can be bypassed using IPv4-mapped IPv6 addresses (e.g., \u003ccode\u003e::ffff:x.x.x.x\u003c/code\u003e). The vulnerability is located in the \u003ccode\u003eplugin/LiveLinks/proxy.php\u003c/code\u003e endpoint, which lacks proper authentication. An attacker can exploit this to make arbitrary HTTP requests to internal resources, cloud metadata endpoints, and localhost services. This issue was addressed in commit 75ce8a579a58c9d4c7aafe453fbced002cb8f373. The CVSS v3.1 score is 8.6, indicating a high level of severity.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies an AVideo instance running a vulnerable version (\u0026lt;= 26.0).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious URL using an IPv4-mapped IPv6 address, such as \u003ccode\u003e::ffff:127.0.0.1\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker sends an HTTP request to the \u003ccode\u003eplugin/LiveLinks/proxy.php\u003c/code\u003e endpoint, providing the malicious URL as a parameter.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eisSSRFSafeURL()\u003c/code\u003e function fails to properly validate the IPv4-mapped IPv6 address.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eproxy.php\u003c/code\u003e script uses curl (or a similar function) to fetch the content from the attacker-controlled URL.\u003c/li\u003e\n\u003cli\u003eThe curl request is sent to the target specified within the IPv6-mapped address (e.g., localhost).\u003c/li\u003e\n\u003cli\u003eThe attacker gains access to sensitive information from internal services, cloud metadata, or localhost.\u003c/li\u003e\n\u003cli\u003eThe attacker may further exploit accessed services or exfiltrate data depending on the internal resources exposed.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SSRF vulnerability allows unauthenticated attackers to read sensitive information from internal services, cloud metadata endpoints, and localhost services. This can lead to the disclosure of API keys, configuration files, internal network layouts, and potentially allow further exploitation of other internal systems. The lack of authentication on the affected endpoint greatly increases the potential for widespread abuse, particularly in cloud environments where metadata services are readily accessible.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch from commit 75ce8a579a58c9d4c7aafe453fbced002cb8f373 to remediate CVE-2026-33480.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests to the \u003ccode\u003eplugin/LiveLinks/proxy.php\u003c/code\u003e endpoint containing IPv4-mapped IPv6 addresses using the provided Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation and firewall rules to restrict access from the AVideo server to internal resources to mitigate the impact of successful SSRF attacks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-16T12:00:00Z","date_published":"2024-01-16T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-16-avideo-ssrf/","summary":"AVideo versions up to 26.0 are vulnerable to server-side request forgery (SSRF) due to a bypass in the `isSSRFSafeURL()` function, allowing unauthenticated attackers to access internal resources.","title":"AVideo SSRF Vulnerability via IPv4-Mapped IPv6 Bypass (CVE-2026-33480)","url":"https://feed.craftedsignal.io/briefs/2024-01-16-avideo-ssrf/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["AVideo"],"_cs_severities":["critical"],"_cs_tags":["avideo","sql-injection","cve-2026-33651","webserver"],"_cs_type":"advisory","_cs_vendors":["AVideo"],"content_html":"\u003cp\u003eAVideo, an open-source video platform, is susceptible to a critical SQL injection vulnerability (CVE-2026-33651) affecting versions up to and including 26.0. The vulnerability lies within the \u003ccode\u003eremindMe.json.php\u003c/code\u003e endpoint, where the \u003ccode\u003e$_REQUEST['live_schedule_id']\u003c/code\u003e parameter is mishandled. Despite attempts to sanitize the input using \u003ccode\u003eintval()\u003c/code\u003e within intermediate functions, the original tainted variable remains unsanitized before being directly concatenated into a SQL \u003ccode\u003eLIKE\u003c/code\u003e clause within \u003ccode\u003eScheduler_commands::getAllActiveOrToRepeat()\u003c/code\u003e. This flaw enables any authenticated user to perform time-based blind SQL injection attacks. The vulnerability was patched in commit 75d45780728294ededa1e3f842f95295d3e7d144. Successful exploitation could lead to unauthorized access and exfiltration of sensitive database information.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the AVideo platform with valid credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003eremindMe.json.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker injects SQL code into the \u003ccode\u003elive_schedule_id\u003c/code\u003e parameter within the request. This parameter is passed unsanitized to the vulnerable function.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eremindMe.json.php\u003c/code\u003e script processes the request, passing the tainted \u003ccode\u003elive_schedule_id\u003c/code\u003e to \u003ccode\u003eScheduler_commands::getAllActiveOrToRepeat()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eScheduler_commands::getAllActiveOrToRepeat()\u003c/code\u003e concatenates the injected SQL code into a \u003ccode\u003eLIKE\u003c/code\u003e clause within a SQL query.\u003c/li\u003e\n\u003cli\u003eThe application executes the malicious SQL query against the AVideo database.\u003c/li\u003e\n\u003cli\u003eThe attacker uses time-based techniques to infer the results of the injected SQL query, extracting data bit by bit.\u003c/li\u003e\n\u003cli\u003eThe attacker successfully exfiltrates sensitive information from the database, such as user credentials, configuration settings, or other confidential data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-33651 allows any authenticated user to perform time-based blind SQL injection attacks, leading to the complete compromise of the AVideo database. This can result in the exfiltration of sensitive data, including user credentials and system configurations. Given that AVideo is a video platform, the exposed data could also include information about video content, user activity, and potentially even the videos themselves. The number of affected installations is unknown.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch from commit 75d45780728294ededa1e3f842f95295d3e7d144 to remediate CVE-2026-33651.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect AVideo SQL Injection Attempt\u0026quot; to detect exploitation attempts against the \u003ccode\u003eremindMe.json.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests containing SQL syntax in the \u003ccode\u003elive_schedule_id\u003c/code\u003e parameter of the \u003ccode\u003eremindMe.json.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization for all user-supplied input to prevent SQL injection vulnerabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-avideo-sql-injection/","summary":"AVideo versions up to 26.0 are vulnerable to time-based blind SQL injection via the `live_schedule_id` parameter in `remindMe.json.php`, allowing authenticated users to extract arbitrary database contents.","title":"AVideo SQL Injection Vulnerability (CVE-2026-33651)","url":"https://feed.craftedsignal.io/briefs/2024-01-avideo-sql-injection/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["AVideo"],"_cs_severities":["high"],"_cs_tags":["cve-2026-33492","avideo","session-fixation","web-application"],"_cs_type":"advisory","_cs_vendors":["AVideo"],"content_html":"\u003cp\u003eAVideo, an open-source video platform, is vulnerable to a session fixation attack (CVE-2026-33492) in versions up to and including 26.0. The vulnerability stems from the \u003ccode\u003e_session_start()\u003c/code\u003e function, which improperly accepts arbitrary session IDs via the \u003ccode\u003ePHPSESSID\u003c/code\u003e GET parameter. Furthermore, session regeneration is bypassed for specific blacklisted endpoints when the request originates from the same domain. Critically, the \u003ccode\u003eUser::login()\u003c/code\u003e function explicitly disables session regeneration. This combination allows an attacker to set a victim's session ID before they authenticate, and subsequently hijack their authenticated session. This is a critical vulnerability as it can lead to complete account takeover. A patch is available in commit 5647a94d79bf69a972a86653fe02144079948785.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable AVideo instance (version 26.0 or earlier).\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious link or uses another method to send the victim a URL to the AVideo site that includes a \u003ccode\u003ePHPSESSID\u003c/code\u003e parameter with a session ID controlled by the attacker (e.g., \u003ccode\u003ehttps://example.com/?PHPSESSID=attacker_session_id\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe victim clicks the link and their browser sets the \u003ccode\u003ePHPSESSID\u003c/code\u003e cookie to the attacker-controlled value. The AVideo server starts a PHP session using the provided session ID.\u003c/li\u003e\n\u003cli\u003eThe victim logs into the AVideo platform. The \u003ccode\u003eUser::login()\u003c/code\u003e function, due to the vulnerability, does not regenerate the session ID upon successful authentication.\u003c/li\u003e\n\u003cli\u003eThe victim's authenticated session continues to use the attacker-controlled \u003ccode\u003ePHPSESSID\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the same \u003ccode\u003ePHPSESSID\u003c/code\u003e value in their own browser to access the AVideo site.\u003c/li\u003e\n\u003cli\u003eThe AVideo server authenticates the attacker as the victim because the session ID matches the victim's authenticated session.\u003c/li\u003e\n\u003cli\u003eThe attacker now has complete access to the victim's account, including their videos, personal information, and administrative privileges if applicable.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to completely take over a user's account on the AVideo platform. This could lead to unauthorized access to sensitive video content, modification or deletion of videos, defacement of the platform, or further attacks leveraging the compromised account. The number of potential victims depends on the number of vulnerable AVideo instances and their user base, but the impact is significant for each compromised account.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch available in commit 5647a94d79bf69a972a86653fe02144079948785 to remediate the session fixation vulnerability.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect AVideo Session Fixation Attempt via PHPSESSID GET Parameter\u003c/code\u003e to identify potential exploitation attempts (Sigma rule).\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests containing the \u003ccode\u003ePHPSESSID\u003c/code\u003e parameter in the query string to identify potential session fixation attempts (webserver logs).\u003c/li\u003e\n\u003cli\u003eConsider implementing a web application firewall (WAF) rule to block requests containing the \u003ccode\u003ePHPSESSID\u003c/code\u003e parameter in the query string (webserver logs).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-02-avideo-session-fixation/","summary":"AVideo versions 26.0 and earlier are vulnerable to session fixation due to accepting arbitrary session IDs via the `PHPSESSID` GET parameter and disabled session regeneration, allowing attackers to hijack authenticated sessions.","title":"AVideo Session Fixation Vulnerability (CVE-2026-33492)","url":"https://feed.craftedsignal.io/briefs/2024-01-02-avideo-session-fixation/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.6,"id":"CVE-2026-39369"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["AVideo"],"_cs_severities":["high"],"_cs_tags":["avideo","lfi","file-disclosure","php"],"_cs_type":"advisory","_cs_vendors":["AVideo"],"content_html":"\u003cp\u003eAVideo, a video sharing platform, is vulnerable to a local file inclusion vulnerability (CVE-2026-39369) in versions 26.0 and earlier. The vulnerability exists in the \u003ccode\u003eobjects/aVideoEncoderReceiveImage.json.php\u003c/code\u003e endpoint, which is accessible to authenticated users with uploader privileges. By manipulating the \u003ccode\u003edownloadURL_gifimage\u003c/code\u003e parameter with a specially crafted URL containing path traversal sequences, an attacker can bypass input sanitization and force the application to read arbitrary files from the server's filesystem. The application then writes the content of the file into a GIF, making it accessible via a public media URL. This allows attackers to retrieve sensitive information such as configuration files, source code, and system credentials.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker logs in to AVideo as an authenticated user with uploader privileges.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious POST request to \u003ccode\u003eobjects/aVideoEncoderReceiveImage.json.php\u003c/code\u003e with the \u003ccode\u003edownloadURL_gifimage\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003edownloadURL_gifimage\u003c/code\u003e parameter contains a URL with path traversal sequences (e.g., \u003ccode\u003e....//....//\u003c/code\u003e) targeting a sensitive file on the server (e.g., \u003ccode\u003e/etc/passwd\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe application attempts to sanitize the URL using \u003ccode\u003estr_replace('../', '', ...)\u003c/code\u003e but fails due to the overlapping traversal sequence.\u003c/li\u003e\n\u003cli\u003eThe application resolves the manipulated URL, resulting in a read operation from the targeted file on the local filesystem using \u003ccode\u003eurl_get_contents()\u003c/code\u003e or \u003ccode\u003etry_get_contents_from_local()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe content of the targeted file is retrieved and written into a GIF image file on the server's disk.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003eobjects/videos.json.php?showAll=1\u003c/code\u003e to recover the generated GIF URL from \u003ccode\u003evideosURL.gif.url\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker accesses the GIF URL, retrieves the file content, and obtains sensitive information.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to read arbitrary files on the AVideo server. This can lead to the disclosure of sensitive information, including configuration files, source code, and system credentials, potentially leading to further compromise of the server and the AVideo platform. This impacts any AVideo instance running version 26.0 or earlier and puts all associated data at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the recommended fixes from WWBN: Reject any remote image URL whose decoded path contains traversal markers.\u003c/li\u003e\n\u003cli\u003eApply the recommended fixes from WWBN: Do not allow attacker-controlled same-origin \u003ccode\u003e/videos/...\u003c/code\u003e fetches to resolve into local file reads.\u003c/li\u003e\n\u003cli\u003eApply the recommended fixes from WWBN: Constrain any local shortcut path handling with \u003ccode\u003erealpath()\u003c/code\u003e and strict base-directory allowlists.\u003c/li\u003e\n\u003cli\u003eApply the recommended fixes from WWBN: Validate GIF content before saving it into public media storage.\u003c/li\u003e\n\u003cli\u003eApply the recommended fixes from WWBN: Ensure invalid-image cleanup checks the correct destination path.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect AVideo LFI Attempt\u003c/code\u003e to detect exploitation attempts against the \u003ccode\u003eaVideoEncoderReceiveImage.json.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for HTTP requests to \u003ccode\u003e/objects/aVideoEncoderReceiveImage.json.php\u003c/code\u003e containing path traversal sequences in the \u003ccode\u003edownloadURL_gifimage\u003c/code\u003e parameter.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-avideo-lfi/","summary":"AVideo is vulnerable to local file inclusion (LFI) via the EncoderReceiveImage endpoint, allowing authenticated uploaders to read sensitive server files by bypassing path traversal restrictions.","title":"AVideo EncoderReceiveImage Local File Inclusion Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-avideo-lfi/"}],"language":"en","title":"CraftedSignal Threat Feed - AVideo","version":"https://jsonfeed.org/version/1.1"}