Daniel Neto

118 exploits Active since May 2023
CVE-2026-33038 WRITEUP HIGH WRITEUP
AVideo affected by unauthenticated application takeover via exposed web installer on uninitialized deployments
WWBN AVideo is an open source video platform. Versions 25.0 and below are vulnerable to unauthenticated application takeover through the install/checkConfiguration.php endpoint. install/checkConfiguration.php performs full application initialization: database setup, admin account creation, and configuration file write, all from an unauthenticated POST input. The only guard is checking whether videos/configuration.php already exists. On uninitialized deployments, any remote attacker can complete the installation with attacker-controlled credentials and an attacker-controlled database, gaining full administrative access. This issue has been fixed in version 26.0.
CVSS 8.1
CVE-2026-33039 WRITEUP HIGH WRITEUP
AVideo vulnerable to unauthenticated SSRF via HTTP redirect bypass in LiveLinks proxy
WWBN AVideo is an open source video platform. In versions 25.0 and below, the plugin/LiveLinks/proxy.php endpoint validates user-supplied URLs against internal/private networks using isSSRFSafeURL(), but only checks the initial URL. When the initial URL responds with an HTTP redirect (Location header), the redirect target is fetched via fakeBrowser() without re-validation, allowing an attacker to reach internal services (cloud metadata, RFC1918 addresses) through an attacker-controlled redirect. This issue is fixed in version 26.0.
CVSS 8.6
CVE-2026-33041 WRITEUP MEDIUM WRITEUP
AVideo <26.0 encryptPass.json.php - Password Hash Oracle
WWBN AVideo is an open source video platform. In versions 25.0 and below, /objects/encryptPass.json.php exposes the application's password hashing algorithm to any unauthenticated user. An attacker can submit arbitrary passwords and receive their hashed equivalents, enabling offline password cracking against leaked database hashes. If an attacker obtains password hashes from the database (via SQL injection, backup exposure, etc.), they can instantly crack them by comparing against pre-computed hashes from this endpoint. This endpoint eliminates the need for an attacker to reverse-engineer the hashing algorithm. Combined with the weak hash chain (md5+whirlpool+sha1, no salt by default), an attacker with access to database hashes can crack passwords extremely quickly. This issue was fixed in version 26.0.
CVSS 5.3
CVE-2026-33043 WRITEUP HIGH WRITEUP
AVideo affected by Session Hijacking via Unauthenticated Session ID Disclosure with Permissive CORS
WWBN AVideo is an open source video platform. In versions 25.0 and below, /objects/phpsessionid.json.php exposes the current PHP session ID to any unauthenticated request. The allowOrigin() function reflects any Origin header back in Access-Control-Allow-Origin with Access-Control-Allow-Credentials: true, enabling cross-origin session theft and full account takeover. This issue has been fixed in version 26.0.
CVSS 8.1
CVE-2026-30885 WRITEUP MEDIUM WRITEUP
WWBN AVideo <25.0 - Info Disclosure
WWBN AVideo is an open source video platform. Prior to 25.0, the /objects/playlistsFromUser.json.php endpoint returns all playlists for any user without requiring authentication or authorization. An unauthenticated attacker can enumerate user IDs and retrieve playlist information including playlist names, video IDs, and playlist status for any user on the platform. This vulnerability is fixed in 25.0.
CVSS 5.3
CVE-2026-28501 WRITEUP CRITICAL WRITEUP
WWBN AVideo < 24.0 - Unauthenticated SQL Injection via catName Parameter in JSON POST Request
WWBN AVideo is an open source video platform. Prior to version 24.0, an unauthenticated SQL Injection vulnerability exists in AVideo within the objects/videos.json.php and objects/video.php components. The application fails to properly sanitize the catName parameter when it is supplied via a JSON-formatted POST request body. Because JSON input is parsed and merged into $_REQUEST after global security checks are executed, the payload bypasses the existing sanitization mechanisms. This issue has been patched in version 24.0.
CVSS 9.8
CVE-2026-28502 WRITEUP HIGH WRITEUP
WWBN AVideo <24.0 - Authenticated RCE
WWBN AVideo is an open source video platform. Prior to version 24.0, an authenticated Remote Code Execution (RCE) vulnerability was identified in AVideo related to the plugin upload/import functionality. The issue allowed an authenticated administrator to upload a specially crafted ZIP archive containing executable server-side files. Due to insufficient validation of extracted file contents, the archive was extracted directly into a web-accessible plugin directory, allowing arbitrary PHP code execution. This issue has been patched in version 24.0.
CVSS 8.8
CVE-2026-27568 WRITEUP MEDIUM WRITEUP
WWBN AVideo < 21.0 - Authenticated Stored Cross-Site Scripting via Markdown Link Injection
WWBN AVideo is an open source video platform. Prior to version 21.0, AVideo allows Markdown in video comments and uses Parsedown (v1.7.4) without Safe Mode enabled. Markdown links are not sufficiently sanitized, allowing `javascript:` URIs to be rendered as clickable links. An authenticated low-privilege attacker can post a malicious comment that injects persistent JavaScript. When another user clicks the link, the attacker can perform actions such as session hijacking, privilege escalation (including admin takeover), and data exfiltration. Version 21.0 contains a fix. As a workaround, validate and block unsafe URI schemes (e.g., `javascript:`) before rendering Markdown, and enable Parsedown Safe Mode.
CVSS 6.1
CVE-2026-27732 WRITEUP HIGH WRITEUP
WWBN AVideo < 22.0 - Authenticated Server-Side Request Forgery via aVideoEncoder.json.php DownloadURL Parameter
WWBN AVideo is an open source video platform. Prior to version 22.0, the `aVideoEncoder.json.php` API endpoint accepts a `downloadURL` parameter and fetches the referenced resource server-side without proper validation or an allow-list. This allows authenticated users to trigger server-side requests to arbitrary URLs (including internal network endpoints). An authenticated attacker can leverage SSRF to interact with internal services and retrieve sensitive data (e.g., internal APIs, metadata services), potentially leading to further compromise depending on the deployment environment. This issue has been fixed in AVideo version 22.0.
CVSS 8.1
CVE-2025-34434 WRITEUP CRITICAL WRITEUP
AVideo < 20.1 - Unauthenticated Arbitrary File Upload and Deletion via ImageGallery Plugin
AVideo versions prior to 20.1 with the ImageGallery plugin enabled is vulnerable to unauthenticated file upload and deletion. Plugin endpoints responsible for managing gallery images fail to enforce authentication checks and do not validate ownership, allowing unauthenticated attackers to upload or delete images associated with any image-based video.
CVSS 9.1
CVE-2025-34435 WRITEUP MEDIUM WRITEUP
AVideo < 20.1 - Authenticated Arbitrary File Deletion via IDOR
AVideo versions prior to 20.1 are vulnerable to an insecure direct object reference (IDOR) that allows any authenticated user to delete media files belonging to other users. The affected endpoint validates authentication but fails to verify ownership or edit permissions for the targeted video.
CVSS 6.5
CVE-2025-34436 WRITEUP HIGH WRITEUP
AVideo < 20.1 - Authenticated Arbitrary File Upload via Insecure Direct Object Reference
AVideo versions prior to 20.1 allow any authenticated user to upload files into directories belonging to other users due to an insecure direct object reference. The upload functionality verifies authentication but does not enforce ownership checks.
CVSS 8.8
CVE-2025-34437 WRITEUP HIGH WRITEUP
AVideo < 20.1 - Authenticated Arbitrary Comment Image Upload via Missing Ownership Check
AVideo versions prior to 20.1 permit any authenticated user to upload comment images to videos owned by other users. The endpoint validates authentication but omits ownership checks, allowing attackers to perform unauthorized uploads to arbitrary video objects.
CVSS 8.8
CVE-2025-34438 WRITEUP HIGH WRITEUP
AVideo < 20.1 - Insecure Direct Object Reference in Video Rotation Metadata
AVideo versions prior to 20.1 contain an insecure direct object reference vulnerability allowing users with upload permissions to modify the rotation metadata of any video. The endpoint verifies upload capability but fails to enforce ownership or management rights for the targeted video.
CVSS 8.1
CVE-2025-34439 WRITEUP MEDIUM WRITEUP
AVideo < 20.1 - Open Redirect via cancelUri Parameter
AVideo versions prior to 20.1 are vulnerable to an open redirect flaw due to missing validation of the cancelUri parameter during user login. An attacker can craft a link to redirect users to arbitrary external sites, enabling phishing attacks.
CVSS 6.1
CVE-2025-34440 WRITEUP MEDIUM WRITEUP
AVideo < 20.1 - Open Redirect via siteRedirectUri Parameter
AVideo versions prior to 20.1 contain an open redirect vulnerability caused by insufficient validation of the siteRedirectUri parameter during user registration. Attackers can redirect users to external sites, facilitating phishing attacks.
CVSS 6.1
CVE-2025-34441 WRITEUP HIGH WRITEUP
AVideo < 20.1 - Unauthenticated Exposure of Sensitive User Information via Public API
AVideo versions prior to 20.1 expose sensitive user information through an unauthenticated public API endpoint. Responses include emails, usernames, administrative status, and last login times, enabling user enumeration and privacy violations.
CVSS 7.5
CVE-2025-34442 WRITEUP HIGH WRITEUP
AVideo < 20.1 - Sensitive System Information Exposure via Public API Endpoints
AVideo versions prior to 20.1 disclose absolute filesystem paths via multiple public API endpoints. Returned metadata includes full server paths to media files, revealing underlying filesystem structure and facilitating more effective attack chains.
CVSS 7.5