CVE-2026-35181

MEDIUM
2026-04-03 https://github.com/WWBN/AVideo GHSA-4q27-4rrq-fx95
4.3
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Apr 04, 2026 - 00:30 vuln.today
CVE Published
Apr 03, 2026 - 23:43 nvd
MEDIUM 4.3

Tags

CSRF PHP

Description

**Severity:** Medium **CWE:** CWE-352 (Cross-Site Request Forgery) ## Summary The player skin configuration endpoint at `admin/playerUpdate.json.php` does not validate CSRF tokens. The `plugins` table is explicitly excluded from the ORM's domain-based security check via `ignoreTableSecurityCheck()`, removing the only other layer of defense. Combined with `SameSite=None` cookies, a cross-origin POST can modify the video player appearance on the entire platform. ## Details In `admin/playerUpdate.json.php` at line 17, the player skin is set directly from POST data: ```php $pluginDO->skin = $_POST['skin']; ``` No CSRF token is validated anywhere in the endpoint. Normally, the ORM layer performs a Referer/Origin domain check as a secondary defense against cross-origin writes. However, the `plugins` table is registered in `ignoreTableSecurityCheck()`, which explicitly bypasses this ORM-level protection for plugin configuration. AVideo's session cookies are configured with `SameSite=None`, meaning the admin's authenticated session cookie is automatically included in cross-origin POST requests from any website. An attacker can craft a page that, when visited by an authenticated admin, silently changes the player skin to any value, including potentially invalid or disruptive configurations. ## Proof of Concept Host the following HTML on an attacker-controlled domain: ```html <!DOCTYPE html> <html> <head><title>CSRF Player Skin</title></head> <body> <h1>Loading video...</h1> <form id="csrf" method="POST" action="https://your-avideo-instance.com/admin/playerUpdate.json.php"> <input type="hidden" name="skin" value="minimalist" /> </form> <script> document.getElementById("csrf").submit(); </script> </body> </html> ``` When an authenticated admin visits this page, the platform's player skin is changed without their knowledge. ## Impact - Platform-wide player appearance modification without admin consent - Potential disruption of video playback if an invalid skin value is set - The ORM security bypass via `ignoreTableSecurityCheck()` means there is no fallback protection - Can be used as part of a broader defacement or social engineering attack ## Recommended Fix Add CSRF token validation at `admin/playerUpdate.json.php`, before processing POST data: ```php // admin/playerUpdate.json.php (before line 17) if (!isGlobalTokenValid()) { die('{"error":"Invalid CSRF token"}'); } ``` --- *Found by [aisafe.io](https://aisafe.io)*

Analysis

Cross-site request forgery (CSRF) in AVideo's player skin configuration endpoint allows unauthenticated remote attackers to modify the video player appearance platform-wide when an authenticated administrator visits a malicious webpage. The vulnerability stems from missing CSRF token validation combined with disabled ORM-level domain security checks and SameSite=None cookie configuration; a proof-of-concept demonstrates silent modification of player skin settings without admin consent.

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Priority Score

22
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +22
POC: 0

Share

CVE-2026-35181 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy