logo

Database

Improper authorization control for web services In wwbn/avideo

Description

AVideo vulnerable to Mass User PII Disclosure via Missing Authorization in YPTWallet users.json.php Severity: High CWE: CWE-862 (Missing Authorization)

Summary

The plugin/YPTWallet/view/users.json.php endpoint returns all platform users with their personal information and wallet balances to any authenticated user. The endpoint checks User::isLogged() but does not check User::isAdmin(), so any registered user can dump the full user database.

Details

The authorization check at plugin/YPTWallet/view/users.json.php:8:

if (!User::isLogged()) {
    die("Is not logged");
}

The query in YPTWallet::getAllUsers() selects all columns from both tables:

$sql = "SELECT w.*, u.*, u.id as user_id, IFNULL(balance, 0) as balance FROM users u "
    . " LEFT JOIN wallet w ON u.id = w.users_id WHERE 1=1 ";

The cleanUpRowFromDatabase() function strips fields matching /pass/i (removes password and recoverPass), but all other PII fields remain: email, phone, address, zip_code, country, region, city, first_name, last_name, birth_date, isAdmin, analyticsCode, donationLink, and balance.

Other endpoints in the same directory (saveBalance.php, adminManageWallets.php, pendingRequests.json.php) all check User::isAdmin().

Proof of Concept

import requests

TARGET = "https://your-avideo-instance.com"

# Step 1: Login as any regular (non-admin) user
session = requests.Session()
session.post(f"{TARGET}/objects/login.json.php", data={
    "user": "regular_user",...

The response contains every user on the platform, including admin accounts, with fields: email, phone, address, zip_code, country, region, city, first_name, last_name, birth_date, isAdmin, balance, analyticsCode, donationLink.

Impact

Any registered user can extract the complete user database with PII (emails, phone numbers, addresses, birth dates, real names) and financial data (wallet balances). This is a mass data breach that may trigger notification requirements under GDPR or CCPA.

Recommended Fix

Change User::isLogged() to User::isAdmin() at plugin/YPTWallet/view/users.json.php:8:

// plugin/YPTWallet/view/users.json.php:8
// Before:
if (!User::isLogged()) {
    die("Is not logged");
}

// After:
if (!User::isAdmin()) {...

This matches the authorization pattern already used by the other endpoints in the same directory (saveBalance.php, adminManageWallets.php, pendingRequests.json.php).

Found by aisafe.io

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-343952. NVD-2026-343953. OSV-2026-343954. GHSA-77jp-mgcw-rfmr5. GCVE-2026-34395

References

1. https://github.com/WWBN/AVideo/security/advisories/GHSA-77jp-mgcw-rfmr2. https://github.com/WWBN/AVideo/commit/db37b4e9d9e7c733e5d4c5881e10b2b9d2670983

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.

FLAT-55W3E – Vulnerability | Fluid Attacks Database