<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>AVideo - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/vendors/avideo/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 30 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/vendors/avideo/feed.xml" rel="self" type="application/rss+xml"/><item><title>AVideo OS Command Injection Vulnerability (CVE-2026-33482)</title><link>https://feed.craftedsignal.io/briefs/2024-01-30-avideo-command-injection/</link><pubDate>Tue, 30 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-30-avideo-command-injection/</guid><description>AVideo versions up to 26.0 are vulnerable to OS command injection due to insufficient sanitization of shell metacharacters in the `sanitizeFFmpegCommand()` function, potentially allowing arbitrary command execution.</description><content:encoded><![CDATA[<p>AVideo, an open-source video platform, contains an OS command injection vulnerability (CVE-2026-33482) affecting versions up to and including 26.0. The vulnerability resides within the <code>sanitizeFFmpegCommand()</code> function located in <code>plugin/API/standAlone/functions.php</code>. This function is intended to prevent OS command injection in ffmpeg commands by stripping dangerous shell metacharacters. However, it fails to properly sanitize the <code>$()</code> bash command substitution syntax. This oversight allows attackers who can craft a valid encrypted payload to achieve arbitrary command execution on the standalone encoder server due to the use of <code>sh -c</code> within <code>execAsync()</code>. The vulnerability was patched in commit 25c8ab90269e3a01fb4cf205b40a373487f022e1. Exploitation requires the attacker to be able to craft a valid encrypted payload.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker crafts a malicious encrypted payload containing a command injection payload leveraging the <code>$()</code> bash command substitution.</li>
<li>The attacker uploads or injects this payload into the AVideo platform.</li>
<li>AVideo processes the malicious payload, passing it to the <code>sanitizeFFmpegCommand()</code> function.</li>
<li>The <code>sanitizeFFmpegCommand()</code> function fails to properly sanitize the <code>$()</code> bash command substitution syntax within the payload.</li>
<li>The unsanitized command is then executed within a double-quoted <code>sh -c</code> context in the <code>execAsync()</code> function.</li>
<li>The <code>sh -c</code> interpreter executes the injected command, resulting in arbitrary code execution on the standalone encoder server.</li>
<li>The attacker gains control of the server, potentially leading to data exfiltration, system compromise, or further lateral movement.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this vulnerability allows an attacker to execute arbitrary commands on the AVideo standalone encoder server. This can lead to complete system compromise, including data exfiltration, modification, or deletion. Given the nature of AVideo as a video platform, attackers could also inject malicious content into videos served by the platform, potentially affecting a large number of users.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Apply the patch from commit 25c8ab90269e3a01fb4cf205b40a373487f022e1 to remediate CVE-2026-33482.</li>
<li>Deploy the Sigma rule &quot;Detect AVideo Command Injection Attempt&quot; to detect potential exploitation attempts in web server logs.</li>
<li>Monitor web server logs for suspicious requests containing shell metacharacters, especially <code>$()</code>, targeting the <code>plugin/API/standAlone/functions.php</code> path.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>avideo</category><category>command-injection</category><category>cve-2026-33482</category><category>webserver</category></item><item><title>AVideo Unauthenticated Access to Payment Log DataTables Endpoints</title><link>https://feed.craftedsignal.io/briefs/2024-01-29-avideo-auth-bypass/</link><pubDate>Mon, 29 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-29-avideo-auth-bypass/</guid><description>AVideo is vulnerable to unauthenticated access to multiple `list.json.php` endpoints due to missing authorization checks, allowing attackers to retrieve sensitive payment transaction records, including PayPal billing agreement IDs, Express Checkout tokens, Authorize.Net webhook payloads, and Bitcoin payment records, leading to financial data exposure and potential PII leakage.</description><content:encoded><![CDATA[<p>AVideo, a video sharing platform, contains a critical vulnerability affecting multiple payment plugins. The vulnerability stems from the lack of authentication checks on <code>list.json.php</code> endpoints, which expose sensitive payment transaction data. This oversight allows unauthenticated attackers to retrieve payment records from PayPal, Authorize.Net, and Bitcoin payment providers. The issue mirrors a previously patched vulnerability in the Scheduler plugin (GHSA-j724-5c6c-68g5) but was not consistently applied across all affected endpoints. A total of 21 <code>list.json.php</code> endpoints remain vulnerable. The affected version is &lt;= 26.0. This vulnerability poses a significant threat to AVideo users, potentially leading to financial data theft and unauthorized access to sensitive information.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An unauthenticated attacker identifies a vulnerable AVideo instance.</li>
<li>The attacker crafts a GET request to a vulnerable <code>list.json.php</code> endpoint, such as <code>plugin/PayPalYPT/View/PayPalYPT_log/list.json.php</code>.</li>
<li>The AVideo server processes the request without authentication and executes the associated PHP script.</li>
<li>The script queries the database, retrieving all records from the corresponding table (e.g., <code>PayPalYPT_log</code>).</li>
<li>The server returns a JSON-encoded response containing the retrieved data, including sensitive payment information.</li>
<li>The attacker parses the JSON response to extract PayPal agreement IDs, Express Checkout tokens, Authorize.Net webhook payloads, or Bitcoin transaction details.</li>
<li>The attacker uses the extracted tokens or payment information for malicious purposes, such as payment manipulation or account correlation.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this vulnerability leads to significant data exposure. Attackers can retrieve all payment transaction records across PayPal, Authorize.Net, and Bitcoin payment providers. This includes sensitive data such as PayPal Express Checkout tokens and billing agreement IDs, potentially enabling payment manipulation or account correlation. Transaction records contain user ID mappings, payment amounts, and full API responses that may include payer email addresses and names. The scope is broad, affecting 21 <code>list.json.php</code> endpoints, also exposing live streaming server infrastructure and user connection data. No authentication or user interaction is required.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Apply the provided code snippet to all unprotected <code>list.json.php</code> endpoints to enforce authentication checks using <code>User::isAdmin()</code> as detailed in the advisory's recommended fix.</li>
<li>Monitor web server access logs for requests to <code>list.json.php</code> endpoints located within AVideo plugin directories using the rule <code>AVideo Unauthenticated Access to list.json.php</code>.</li>
<li>Inspect network traffic for sensitive data being transmitted in cleartext from the vulnerable endpoints, such as PayPal tokens, using the rule <code>AVideo Sensitive Data Exposure via Unauthenticated Endpoint</code>.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>avideo</category><category>authentication-bypass</category><category>payment-data-leak</category></item><item><title>AVideo CDN Plugin Unauthenticated Configuration Modification</title><link>https://feed.craftedsignal.io/briefs/2024-01-avideo-cdn-config-vuln/</link><pubDate>Mon, 29 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-avideo-cdn-config-vuln/</guid><description>AVideo is vulnerable to unauthenticated configuration modification in its CDN plugin due to a bypassed key validation check when the default empty key is used, allowing modification of CDN URLs, storage credentials, and the authentication key itself.</description><content:encoded><![CDATA[<p>AVideo, an open source video platform, contains a critical vulnerability (CVE-2026-33719) within its CDN plugin. Versions up to and including 26.0 are affected. The vulnerability stems from the endpoints <code>plugin/CDN/status.json.php</code> and <code>plugin/CDN/disable.json.php</code> using key-based authentication with an empty string as the default key. Critically, when the CDN plugin is enabled but the key remains at its default (empty) state, the authentication check is bypassed entirely. This allows any unauthenticated attacker to fully modify the CDN configuration through mass-assignment via the <code>par</code> request parameter. This includes the ability to manipulate CDN URLs, storage credentials, and even the authentication key itself. A patch has been released in commit adeff0a31ba04a56f411eef256139fd7ed7d4310. This is significant because it can lead to complete compromise of the video delivery infrastructure.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker identifies an AVideo instance with the CDN plugin enabled.</li>
<li>The attacker checks the CDN configuration by sending a GET request to <code>plugin/CDN/status.json.php</code> without any authentication headers to confirm if CDN plugin is enabled and running with default configuration.</li>
<li>If the CDN key is the default empty string, the attacker crafts a malicious POST request to <code>plugin/CDN/status.json.php</code> or <code>plugin/CDN/disable.json.php</code>.</li>
<li>The POST request includes the <code>par</code> parameter containing a JSON object with modified CDN settings, such as CDN URLs and storage credentials.</li>
<li>Due to the bypassed authentication, the AVideo server processes the request and updates the CDN configuration.</li>
<li>The attacker can modify the CDN URL to point to a malicious server hosting malware or phishing content.</li>
<li>Legitimate users requesting video content are redirected to the attacker's malicious CDN.</li>
<li>The attacker can also steal storage credentials and compromise the CDN's data.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-33719 allows an unauthenticated attacker to take complete control over the video delivery infrastructure. This can result in serving malicious content to users, data exfiltration from the CDN storage, or complete disruption of video services. The number of victims depends on the popularity of the affected AVideo instances. This vulnerability impacts any organization using AVideo with the CDN plugin enabled and the default configuration, including educational institutions, media companies, and content creators.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Apply the patch from commit adeff0a31ba04a56f411eef256139fd7ed7d4310 or upgrade to a version of AVideo that includes this fix to remediate CVE-2026-33719.</li>
<li>Deploy the Sigma rules provided in this brief to your SIEM to detect potential exploitation attempts targeting the <code>plugin/CDN/status.json.php</code> and <code>plugin/CDN/disable.json.php</code> endpoints.</li>
<li>Monitor web server logs for POST requests to <code>plugin/CDN/status.json.php</code> or <code>plugin/CDN/disable.json.php</code> endpoints without proper authentication headers, as these may indicate an attempted exploit.</li>
<li>As a temporary workaround, configure a strong, non-default key for the CDN plugin to prevent the authentication bypass.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>avideo</category><category>cdn</category><category>configuration-modification</category><category>vulnerability</category></item><item><title>AVideo CORS Origin Reflection with Credentials Leads to Account Takeover</title><link>https://feed.craftedsignal.io/briefs/2024-01-26-avideo-cors/</link><pubDate>Fri, 26 Jan 2024 18:21:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-26-avideo-cors/</guid><description>The AVideo platform is vulnerable to CORS origin reflection, allowing attackers to steal user PII, livestream keys, and perform unauthorized actions by exploiting the permissive `allowOrigin` function on sensitive API endpoints.</description><content:encoded><![CDATA[<p>AVideo, a video-sharing platform, contains a critical vulnerability in its CORS implementation. The <code>allowOrigin($allowAll=true)</code> function in <code>objects/functions.php</code> unconditionally reflects the <code>Origin</code> header, along with <code>Access-Control-Allow-Credentials: true</code>, on the <code>plugin/API/get.json.php</code> and <code>plugin/API/set.json.php</code> endpoints. These API endpoints handle sensitive user data retrieval, authentication, and state-changing operations. Combined with the application's <code>SameSite=None</code> session cookie policy, this allows attackers to bypass CORS restrictions, enabling credentialed cross-origin requests. By hosting a malicious webpage, an attacker can steal user PII (email, name, address, phone number, birth date), livestream credentials, and perform unauthorized actions on behalf of a logged-in user. This vulnerability affects AVideo versions 29.0 and earlier. The issue was introduced due to an oversight in a previous fix (commit <code>986e64aad</code>) which addressed CORS handling for null origins but neglected the more dangerous <code>$allowAll=true</code> path.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker crafts a malicious HTML page hosted on a domain they control (e.g., <code>attacker.example</code>). This page contains JavaScript code designed to make a cross-origin request to the vulnerable AVideo instance.</li>
<li>A logged-in AVideo user visits the attacker's malicious page.</li>
<li>The JavaScript on the attacker's page sends a credentialed GET request to the <code>https://TARGET/plugin/API/get.json.php?APIName=user</code> endpoint with <code>credentials: 'include'</code>.</li>
<li>The AVideo server's <code>allowOrigin</code> function reflects the attacker's origin in the <code>Access-Control-Allow-Origin</code> header, along with setting <code>Access-Control-Allow-Credentials: true</code>.</li>
<li>The attacker's JavaScript receives the API response containing the victim's sensitive data, including email, name, address, phone number, admin status, livestream server URL with embedded password, and encrypted stream key.</li>
<li>The attacker exfiltrates the stolen data to their server (e.g., <code>https://attacker.example/collect</code>) using <code>navigator.sendBeacon</code>.</li>
<li>(Optional) The attacker crafts further requests to <code>set.json.php</code> to perform actions on the victim's behalf, such as modifying video settings or other account-related configurations.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation allows an attacker to steal sensitive user data, including email, full name, address, phone number, and birth date, from any logged-in user who visits the attacker-controlled page. The attacker can also compromise user accounts by stealing livestream credentials, allowing them to hijack live streams. Exposure of admin status and permissions facilitates targeted attacks on privileged accounts. Furthermore, the attacker can perform state modifications on behalf of the victim through the <code>set.json.php</code> endpoint, potentially disrupting service or causing further damage. Due to the nature of the vulnerability, a single attacker page can harvest data from every logged-in visitor, leading to mass exploitation.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>Detect AVideo API Access From Unknown Origins</code> to identify requests to the vulnerable API endpoints originating from domains not explicitly allowed.</li>
<li>Apply the recommended fix provided in the advisory by replacing the permissive origin reflection in the <code>allowOrigin()</code> function with proper validation against the site's configured domain.</li>
<li>Audit webserver logs for requests to <code>/plugin/API/get.json.php</code> and <code>/plugin/API/set.json.php</code> where the Origin header does not match the expected domain to identify potential exploitation attempts (reference IOC: vulnerable API endpoint).</li>
<li>Consider separating truly public endpoints from sensitive API endpoints with different CORS policies.</li>
<li>Monitor network traffic for connections to attacker-controlled domains like <code>attacker.example</code> (reference IOC: attacker controlled domain).</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>avideo</category><category>cors</category><category>account-takeover</category><category>web-application</category></item><item><title>AVideo Remote Code Execution via Polyglot File Upload (CVE-2026-33647)</title><link>https://feed.craftedsignal.io/briefs/2024-01-avideo-rce/</link><pubDate>Wed, 24 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-avideo-rce/</guid><description>AVideo versions up to 26.0 are vulnerable to remote code execution (CVE-2026-33647) due to insufficient file validation in the `ImageGallery::saveFile()` method, allowing attackers to upload polyglot files with a `.php` extension to achieve code execution.</description><content:encoded><![CDATA[<p>AVideo, an open-source video platform, is susceptible to remote code execution (RCE) in versions up to and including 26.0 due to a flaw in the <code>ImageGallery::saveFile()</code> method. This vulnerability, identified as CVE-2026-33647, arises from the inadequate validation of uploaded files. Specifically, the system uses <code>finfo</code> for MIME type detection but relies on the user-supplied filename extension without proper sanitization. An attacker can leverage this weakness by crafting a polyglot file, embedding malicious PHP code within a seemingly benign JPEG image, and naming it with a <code>.php</code> extension. This bypasses the MIME type check, causing the file to be saved as an executable PHP file within a web-accessible directory. The vulnerability was patched in commit 345a8d3ece0ad1e1b71a704c1579cbf885d8f3ae. Successful exploitation grants the attacker the ability to execute arbitrary code on the AVideo server, leading to potential data breaches, system compromise, and service disruption.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker identifies an AVideo instance running a vulnerable version (&lt;= 26.0).</li>
<li>The attacker crafts a polyglot file. This file is a valid JPEG image with PHP code appended. The file is named with a <code>.php</code> extension (e.g., <code>evil.php</code>).</li>
<li>The attacker uses the AVideo web interface, specifically the image upload functionality within <code>ImageGallery::saveFile()</code>, to upload the malicious <code>evil.php</code> file.</li>
<li>The <code>ImageGallery::saveFile()</code> method uses <code>finfo</code> to check the MIME type of the uploaded file. Because the file starts with JPEG magic bytes, it passes the MIME type check.</li>
<li>Due to the missing allowlist on the filename extension, the file is saved with the attacker-controlled <code>.php</code> extension.</li>
<li>The file is saved in a web-accessible directory on the AVideo server.</li>
<li>The attacker sends an HTTP request to the uploaded PHP file (e.g., <code>https://avideo.example.com/uploads/evil.php</code>).</li>
<li>The web server executes the PHP code embedded within the <code>evil.php</code> file, granting the attacker remote code execution on the server.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-33647 allows an attacker to execute arbitrary code on the AVideo server. This can lead to a full system compromise, including the ability to read and modify sensitive data, install malware, pivot to other systems on the network, and disrupt service availability. The impact depends on the privileges of the web server process. Given the nature of video platforms, successful attacks can also lead to defacement and distribution of malicious content.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Apply the patch from commit <code>345a8d3ece0ad1e1b71a704c1579cbf885d8f3ae</code> to remediate CVE-2026-33647 immediately.</li>
<li>Implement strict allowlisting for file extensions in the <code>ImageGallery::saveFile()</code> method to prevent the upload of executable files.</li>
<li>Deploy the provided Sigma rule to detect potential attempts to exploit CVE-2026-33647 by monitoring for the execution of PHP files within the web server's upload directories.</li>
<li>Review webserver logs for suspicious requests to PHP files in upload directories for potential exploitation attempts (log source: webserver).</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>CVE-2026-33647</category><category>RCE</category><category>File Upload</category><category>AVideo</category><category>Polyglot</category></item><item><title>AVideo Platform Unauthenticated Live Stream Control via streamerURL Manipulation</title><link>https://feed.craftedsignal.io/briefs/2024-01-avideo-auth-bypass/</link><pubDate>Wed, 17 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-avideo-auth-bypass/</guid><description>AVideo platform versions up to 26.0 are vulnerable to unauthenticated control of live streams due to manipulation of the `streamerURL` parameter in the `control.json.php` endpoint, enabling actions like dropping publishers or starting/stopping recordings.</description><content:encoded><![CDATA[<p>AVideo, an open-source video platform, is vulnerable to an authentication bypass flaw affecting versions up to and including 26.0. The vulnerability resides in the <code>plugin/Live/standAloneFiles/control.json.php</code> endpoint, which handles live stream control. By manipulating the <code>streamerURL</code> parameter, a malicious actor can redirect token verification requests to a server under their control. This malicious server is designed to always return a positive authentication response (<code>{&quot;error&quot;: false}</code>), effectively bypassing the intended authentication process. This allows an unauthenticated attacker to take complete control over any live stream hosted on the platform. The vulnerability was patched in commit 388fcd57dbd16f6cb3ebcdf1d08cf2b929941128. This vulnerability poses a severe risk to AVideo platforms as it could lead to unauthorized modification or disruption of live streams.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker identifies an AVideo platform running a vulnerable version (&lt;= 26.0).</li>
<li>The attacker crafts a malicious HTTP POST request targeting the <code>plugin/Live/standAloneFiles/control.json.php</code> endpoint.</li>
<li>Within the POST request, the attacker includes the <code>streamerURL</code> parameter, setting its value to a URL pointing to a server under their control.</li>
<li>The attacker's server is configured to respond to any token verification request with a JSON response: <code>{&quot;error&quot;: false}</code>.</li>
<li>The AVideo platform, upon receiving the crafted request, sends a token verification request to the attacker-controlled <code>streamerURL</code>.</li>
<li>The attacker's server responds with <code>{&quot;error&quot;: false}</code>, tricking the AVideo platform into believing the user is authenticated.</li>
<li>The attacker can then use other parameters in the <code>control.json.php</code> endpoint to perform unauthorized actions on live streams, such as dropping active publishers.</li>
<li>The attacker can also start/stop recordings or probe for the existence of live streams.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-33716 allows an unauthenticated attacker to gain full control over live streams on the affected AVideo platform. This can lead to various detrimental outcomes, including unauthorized termination of legitimate streams, injection of malicious content into live broadcasts, and disruption of service. The CVSS v3.1 base score for this vulnerability is 9.4, indicating a critical severity level. The number of affected AVideo platforms is unknown, but any instance running a version up to 26.0 is susceptible to this attack.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Apply the patch from commit 388fcd57dbd16f6cb3ebcdf1d08cf2b929941128 to remediate CVE-2026-33716.</li>
<li>Deploy the Sigma rule to detect exploitation attempts against the <code>plugin/Live/standAloneFiles/control.json.php</code> endpoint.</li>
<li>Monitor web server logs for POST requests to <code>plugin/Live/standAloneFiles/control.json.php</code> containing the <code>streamerURL</code> parameter.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>avideo</category><category>authentication-bypass</category><category>cve-2026-33716</category></item><item><title>AVideo SSRF Vulnerability via IPv4-Mapped IPv6 Bypass (CVE-2026-33480)</title><link>https://feed.craftedsignal.io/briefs/2024-01-16-avideo-ssrf/</link><pubDate>Tue, 16 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-16-avideo-ssrf/</guid><description>AVideo versions up to 26.0 are vulnerable to server-side request forgery (SSRF) due to a bypass in the `isSSRFSafeURL()` function, allowing unauthenticated attackers to access internal resources.</description><content:encoded><![CDATA[<p>AVideo, an open-source video platform, is vulnerable to a Server-Side Request Forgery (SSRF) attack. Specifically, versions up to and including 26.0 contain a flaw in the <code>isSSRFSafeURL()</code> function. This function, intended to prevent SSRF attacks, can be bypassed using IPv4-mapped IPv6 addresses (e.g., <code>::ffff:x.x.x.x</code>). The vulnerability is located in the <code>plugin/LiveLinks/proxy.php</code> endpoint, which lacks proper authentication. An attacker can exploit this to make arbitrary HTTP requests to internal resources, cloud metadata endpoints, and localhost services. This issue was addressed in commit 75ce8a579a58c9d4c7aafe453fbced002cb8f373. The CVSS v3.1 score is 8.6, indicating a high level of severity.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker identifies an AVideo instance running a vulnerable version (&lt;= 26.0).</li>
<li>The attacker crafts a malicious URL using an IPv4-mapped IPv6 address, such as <code>::ffff:127.0.0.1</code>.</li>
<li>The attacker sends an HTTP request to the <code>plugin/LiveLinks/proxy.php</code> endpoint, providing the malicious URL as a parameter.</li>
<li>The <code>isSSRFSafeURL()</code> function fails to properly validate the IPv4-mapped IPv6 address.</li>
<li>The <code>proxy.php</code> script uses curl (or a similar function) to fetch the content from the attacker-controlled URL.</li>
<li>The curl request is sent to the target specified within the IPv6-mapped address (e.g., localhost).</li>
<li>The attacker gains access to sensitive information from internal services, cloud metadata, or localhost.</li>
<li>The attacker may further exploit accessed services or exfiltrate data depending on the internal resources exposed.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this SSRF vulnerability allows unauthenticated attackers to read sensitive information from internal services, cloud metadata endpoints, and localhost services. This can lead to the disclosure of API keys, configuration files, internal network layouts, and potentially allow further exploitation of other internal systems. The lack of authentication on the affected endpoint greatly increases the potential for widespread abuse, particularly in cloud environments where metadata services are readily accessible.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Apply the patch from commit 75ce8a579a58c9d4c7aafe453fbced002cb8f373 to remediate CVE-2026-33480.</li>
<li>Monitor web server logs for requests to the <code>plugin/LiveLinks/proxy.php</code> endpoint containing IPv4-mapped IPv6 addresses using the provided Sigma rule.</li>
<li>Implement network segmentation and firewall rules to restrict access from the AVideo server to internal resources to mitigate the impact of successful SSRF attacks.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>ssrf</category><category>avideo</category><category>cve-2026-33480</category><category>webserver</category></item><item><title>AVideo SQL Injection Vulnerability (CVE-2026-33651)</title><link>https://feed.craftedsignal.io/briefs/2024-01-avideo-sql-injection/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-avideo-sql-injection/</guid><description>AVideo versions up to 26.0 are vulnerable to time-based blind SQL injection via the `live_schedule_id` parameter in `remindMe.json.php`, allowing authenticated users to extract arbitrary database contents.</description><content:encoded><![CDATA[<p>AVideo, an open-source video platform, is susceptible to a critical SQL injection vulnerability (CVE-2026-33651) affecting versions up to and including 26.0. The vulnerability lies within the <code>remindMe.json.php</code> endpoint, where the <code>$_REQUEST['live_schedule_id']</code> parameter is mishandled. Despite attempts to sanitize the input using <code>intval()</code> within intermediate functions, the original tainted variable remains unsanitized before being directly concatenated into a SQL <code>LIKE</code> clause within <code>Scheduler_commands::getAllActiveOrToRepeat()</code>. This flaw enables any authenticated user to perform time-based blind SQL injection attacks. The vulnerability was patched in commit 75d45780728294ededa1e3f842f95295d3e7d144. Successful exploitation could lead to unauthorized access and exfiltration of sensitive database information.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker authenticates to the AVideo platform with valid credentials.</li>
<li>The attacker crafts a malicious HTTP request targeting the <code>remindMe.json.php</code> endpoint.</li>
<li>The attacker injects SQL code into the <code>live_schedule_id</code> parameter within the request. This parameter is passed unsanitized to the vulnerable function.</li>
<li>The <code>remindMe.json.php</code> script processes the request, passing the tainted <code>live_schedule_id</code> to <code>Scheduler_commands::getAllActiveOrToRepeat()</code>.</li>
<li><code>Scheduler_commands::getAllActiveOrToRepeat()</code> concatenates the injected SQL code into a <code>LIKE</code> clause within a SQL query.</li>
<li>The application executes the malicious SQL query against the AVideo database.</li>
<li>The attacker uses time-based techniques to infer the results of the injected SQL query, extracting data bit by bit.</li>
<li>The attacker successfully exfiltrates sensitive information from the database, such as user credentials, configuration settings, or other confidential data.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-33651 allows any authenticated user to perform time-based blind SQL injection attacks, leading to the complete compromise of the AVideo database. This can result in the exfiltration of sensitive data, including user credentials and system configurations. Given that AVideo is a video platform, the exposed data could also include information about video content, user activity, and potentially even the videos themselves. The number of affected installations is unknown.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Apply the patch from commit 75d45780728294ededa1e3f842f95295d3e7d144 to remediate CVE-2026-33651.</li>
<li>Deploy the Sigma rule &quot;Detect AVideo SQL Injection Attempt&quot; to detect exploitation attempts against the <code>remindMe.json.php</code> endpoint.</li>
<li>Monitor web server logs for suspicious requests containing SQL syntax in the <code>live_schedule_id</code> parameter of the <code>remindMe.json.php</code> endpoint.</li>
<li>Implement input validation and sanitization for all user-supplied input to prevent SQL injection vulnerabilities.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>avideo</category><category>sql-injection</category><category>cve-2026-33651</category><category>webserver</category></item><item><title>AVideo Session Fixation Vulnerability (CVE-2026-33492)</title><link>https://feed.craftedsignal.io/briefs/2024-01-02-avideo-session-fixation/</link><pubDate>Tue, 02 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-02-avideo-session-fixation/</guid><description>AVideo versions 26.0 and earlier are vulnerable to session fixation due to accepting arbitrary session IDs via the `PHPSESSID` GET parameter and disabled session regeneration, allowing attackers to hijack authenticated sessions.</description><content:encoded><![CDATA[<p>AVideo, an open-source video platform, is vulnerable to a session fixation attack (CVE-2026-33492) in versions up to and including 26.0. The vulnerability stems from the <code>_session_start()</code> function, which improperly accepts arbitrary session IDs via the <code>PHPSESSID</code> GET parameter. Furthermore, session regeneration is bypassed for specific blacklisted endpoints when the request originates from the same domain. Critically, the <code>User::login()</code> function explicitly disables session regeneration. This combination allows an attacker to set a victim's session ID before they authenticate, and subsequently hijack their authenticated session. This is a critical vulnerability as it can lead to complete account takeover. A patch is available in commit 5647a94d79bf69a972a86653fe02144079948785.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker identifies a vulnerable AVideo instance (version 26.0 or earlier).</li>
<li>Attacker crafts a malicious link or uses another method to send the victim a URL to the AVideo site that includes a <code>PHPSESSID</code> parameter with a session ID controlled by the attacker (e.g., <code>https://example.com/?PHPSESSID=attacker_session_id</code>).</li>
<li>The victim clicks the link and their browser sets the <code>PHPSESSID</code> cookie to the attacker-controlled value. The AVideo server starts a PHP session using the provided session ID.</li>
<li>The victim logs into the AVideo platform. The <code>User::login()</code> function, due to the vulnerability, does not regenerate the session ID upon successful authentication.</li>
<li>The victim's authenticated session continues to use the attacker-controlled <code>PHPSESSID</code>.</li>
<li>The attacker uses the same <code>PHPSESSID</code> value in their own browser to access the AVideo site.</li>
<li>The AVideo server authenticates the attacker as the victim because the session ID matches the victim's authenticated session.</li>
<li>The attacker now has complete access to the victim's account, including their videos, personal information, and administrative privileges if applicable.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this vulnerability allows an attacker to completely take over a user's account on the AVideo platform. This could lead to unauthorized access to sensitive video content, modification or deletion of videos, defacement of the platform, or further attacks leveraging the compromised account. The number of potential victims depends on the number of vulnerable AVideo instances and their user base, but the impact is significant for each compromised account.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Apply the patch available in commit 5647a94d79bf69a972a86653fe02144079948785 to remediate the session fixation vulnerability.</li>
<li>Deploy the Sigma rule <code>Detect AVideo Session Fixation Attempt via PHPSESSID GET Parameter</code> to identify potential exploitation attempts (Sigma rule).</li>
<li>Monitor web server logs for requests containing the <code>PHPSESSID</code> parameter in the query string to identify potential session fixation attempts (webserver logs).</li>
<li>Consider implementing a web application firewall (WAF) rule to block requests containing the <code>PHPSESSID</code> parameter in the query string (webserver logs).</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>cve-2026-33492</category><category>avideo</category><category>session-fixation</category><category>web-application</category></item><item><title>AVideo EncoderReceiveImage Local File Inclusion Vulnerability</title><link>https://feed.craftedsignal.io/briefs/2024-01-avideo-lfi/</link><pubDate>Tue, 02 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-avideo-lfi/</guid><description>AVideo is vulnerable to local file inclusion (LFI) via the EncoderReceiveImage endpoint, allowing authenticated uploaders to read sensitive server files by bypassing path traversal restrictions.</description><content:encoded><![CDATA[<p>AVideo, a video sharing platform, is vulnerable to a local file inclusion vulnerability (CVE-2026-39369) in versions 26.0 and earlier. The vulnerability exists in the <code>objects/aVideoEncoderReceiveImage.json.php</code> endpoint, which is accessible to authenticated users with uploader privileges. By manipulating the <code>downloadURL_gifimage</code> parameter with a specially crafted URL containing path traversal sequences, an attacker can bypass input sanitization and force the application to read arbitrary files from the server's filesystem. The application then writes the content of the file into a GIF, making it accessible via a public media URL. This allows attackers to retrieve sensitive information such as configuration files, source code, and system credentials.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker logs in to AVideo as an authenticated user with uploader privileges.</li>
<li>Attacker crafts a malicious POST request to <code>objects/aVideoEncoderReceiveImage.json.php</code> with the <code>downloadURL_gifimage</code> parameter.</li>
<li>The <code>downloadURL_gifimage</code> parameter contains a URL with path traversal sequences (e.g., <code>....//....//</code>) targeting a sensitive file on the server (e.g., <code>/etc/passwd</code>).</li>
<li>The application attempts to sanitize the URL using <code>str_replace('../', '', ...)</code> but fails due to the overlapping traversal sequence.</li>
<li>The application resolves the manipulated URL, resulting in a read operation from the targeted file on the local filesystem using <code>url_get_contents()</code> or <code>try_get_contents_from_local()</code>.</li>
<li>The content of the targeted file is retrieved and written into a GIF image file on the server's disk.</li>
<li>The attacker uses <code>objects/videos.json.php?showAll=1</code> to recover the generated GIF URL from <code>videosURL.gif.url</code>.</li>
<li>The attacker accesses the GIF URL, retrieves the file content, and obtains sensitive information.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this vulnerability allows an attacker to read arbitrary files on the AVideo server. This can lead to the disclosure of sensitive information, including configuration files, source code, and system credentials, potentially leading to further compromise of the server and the AVideo platform. This impacts any AVideo instance running version 26.0 or earlier and puts all associated data at risk.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Apply the recommended fixes from WWBN: Reject any remote image URL whose decoded path contains traversal markers.</li>
<li>Apply the recommended fixes from WWBN: Do not allow attacker-controlled same-origin <code>/videos/...</code> fetches to resolve into local file reads.</li>
<li>Apply the recommended fixes from WWBN: Constrain any local shortcut path handling with <code>realpath()</code> and strict base-directory allowlists.</li>
<li>Apply the recommended fixes from WWBN: Validate GIF content before saving it into public media storage.</li>
<li>Apply the recommended fixes from WWBN: Ensure invalid-image cleanup checks the correct destination path.</li>
<li>Deploy the Sigma rule <code>Detect AVideo LFI Attempt</code> to detect exploitation attempts against the <code>aVideoEncoderReceiveImage.json.php</code> endpoint.</li>
<li>Monitor web server logs for HTTP requests to <code>/objects/aVideoEncoderReceiveImage.json.php</code> containing path traversal sequences in the <code>downloadURL_gifimage</code> parameter.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>avideo</category><category>lfi</category><category>file-disclosure</category><category>php</category></item></channel></rss>