Avideo
Monthly
Stored DOM cross-site scripting in WWBN AVideo's YPTSocket plugin (all versions prior to 29.0) lets any unauthenticated remote attacker run arbitrary JavaScript in the browser session of any administrator viewing the YPTSocket online-users debug panel. Because the malicious WebSocket metadata is broadcast to every connected client and rendered without escaping, a single anonymous WebSocket connection can be escalated into full administrative account takeover via the admin's own session and CSRF token. No public exploit identified at time of analysis; the flaw carries a CVSS 9.6 (Critical) rating driven by the scope change into the privileged admin origin.
Stored cross-site scripting in AVideo's TopMenu plugin through version 26.0 allows payload execution for every site visitor due to unescaped rendering of icon classes, URLs, and text labels across multiple PHP templates. Critically, the saving endpoint (`menuItemSave.json.php`) lacks CSRF token validation despite checking for admin status, enabling a full CSRF-to-stored-XSS chain: an attacker with no account can inject the malicious menu item by luring an authenticated admin to an attacker-controlled page. Publicly available exploit code exists (GHSA-gmpc-fxg2-vcmq); no vendor-released patch has been identified at time of analysis.
Unauthenticated PGP decryption exposure in AVideo through version 25.0 allows any remote attacker to submit private key material, ciphertext, and passphrases to the publicly accessible decryptMessage.json.php endpoint and receive plaintext in the server response - no credentials, session, or token required. The dual impact is confidentiality loss (private key material processed in server memory may be captured in application or web server logs) and availability degradation via unconstrained CPU consumption from repeated cryptographic operations. A publicly available proof-of-concept exists per the GHSA advisory; no vendor patch has been released as of this analysis.
Authorization bypass in AVideo's Meet plugin (versions through 29.0) lets remote attackers hijack arbitrary user sessions, including admin, by abusing the uploadRecordedVideo.json.php endpoint which derives the target users_id from a caller-controlled filename and then invokes the passwordless User->login() path. Exploitation requires the Meet shared secret, but that secret is a deterministic MD5 of values from configuration.php and is recoverable via known path-traversal flaws or timing attacks against checkToken.json.php. No public exploit identified at time of analysis, though the VulnCheck and GHSA advisories document the attack with code-level precision.
Full-read SSRF in AVideo through version 27.0 allows authenticated administrators to make the server fetch arbitrary URLs via the statsURL parameter in plugin/Live/test.php, including cloud metadata endpoints and internal network services. The endpoint bypasses the codebase's own isSSRFSafeURL() guard - used in seven other endpoints - and returns full response bodies in the HTML output, enabling retrieval of IAM credentials from cloud metadata services such as 169.254.169.254, internal service data, and network configuration details. No public exploit code has been formally labeled as proof-of-concept, but the GHSA advisory discloses the complete vulnerable code path with all three sink functions (file_get_contents, curl_exec, wget), making exploitation trivial for any party who has read the advisory.
Unauthenticated information disclosure in AVideo through 26.0 exposes payment transaction records via multiple list.json.php endpoints in the PayPalYPT, AuthorizeNet, and BTCPayments plugins that lack User::isAdmin() authorization checks. Remote attackers can issue direct GET requests to harvest PayPal billing agreement IDs, Express Checkout tokens, Authorize.Net webhook payloads, and Bitcoin transaction records without credentials. No public exploit identified at time of analysis, but the GHSA advisory from WWBN/AVideo and VulnCheck disclosure provide full endpoint paths sufficient for trivial reproduction.
Stored cross-site scripting in WWBN AVideo 29.0 and earlier allows an authenticated low-privilege user with category creation or editing rights to persist malicious JavaScript in category descriptions, which executes in any victim's browser upon viewing the Gallery or affected category page. The scope-changed CVSS vector (S:C) reflects that the injected payload crosses from the attacker's session into other users' browser contexts, enabling session hijacking or unauthorized actions on victims' behalf. No public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the low-complexity, network-accessible attack path warrants prompt access control review on affected deployments.
WWBN AVideo is an open source video platform. In versions 29.0 and below, the incomplete XSS fix in AVideo's `ParsedownSafeWithLinks` class overrides `inlineMarkup` for raw HTML but does not override `inlineLink()` or `inlineUrlTag()`, allowing `javascript:` URLs in markdown link syntax to bypass sanitization. Commit cae8f0dadbdd962c89b91d0095c76edb8aadcacf contains an updated fix.
WWBN AVideo is an open source video platform. In versions 29.0 and below, the incomplete fix for AVideo's CloneSite `deleteDump` parameter does not apply path traversal filtering, allowing `unlink()` of arbitrary files via `../../` sequences in the GET parameter. Commit 3c729717c26f160014a5c86b0b6accdbd613e7b2 contains an updated fix.
WWBN AVideo is an open source video platform. In versions 29.0 and below, an incomplete SSRF fix in AVideo's LiveLinks proxy adds `isSSRFSafeURL()` validation but leaves DNS TOCTOU vulnerabilities where DNS rebinding between validation and the actual HTTP request redirects traffic to internal endpoints. Commit 8d8fc0cadb425835b4861036d589abcea4d78ee8 contains an updated fix.
WWBN AVideo is an open source video platform. In versions 29.0 and prior, the YPTSocket plugin's WebSocket server relays attacker-supplied JSON message bodies to every connected client without sanitizing the `msg` or `callback` fields. On the client side, `plugin/YPTSocket/script.js` contains two `eval()` sinks fed directly by those relayed fields (`json.msg.autoEvalCodeOnHTML` at line 568 and `json.callback` at line 95). Because tokens are minted for anonymous visitors and never revalidated beyond decryption, an unauthenticated attacker can broadcast arbitrary JavaScript that executes in the origin of every currently-connected user (including administrators), resulting in universal account takeover, session theft, and privileged action execution. Commit c08694bf6264eb4decceb78c711baee2609b4efd contains a fix.
Stored SSRF in WWBN AVideo 26.0 and prior allows authenticated streamers with low-privilege streaming permissions to store arbitrary callback URLs in the live restream log feature, triggering server-side requests to internal or loopback HTTP services. The vulnerability affects all versions up to and including 26.0; exploitation requires valid streaming credentials but no user interaction. No public exploit code has been identified, though a proof-of-concept exists per CISA SSVC data.
Stored cross-site scripting (XSS) in WWBN AVideo 26.0 and prior allows authenticated users with upload permissions to inject malicious JavaScript into EPG (Electronic Program Guide) XML files, which executes in the browsers of unauthenticated visitors to the public EPG page without sanitization. Attackers can exploit this to hijack sessions and takeover accounts of any user viewing the compromised EPG. No public exploit code or active exploitation has been confirmed at the time of analysis.
Stored server-side request forgery (SSRF) in WWBN AVideo 26.0 and prior allows authenticated users with upload permissions to inject arbitrary URLs into the EPG (Electronic Program Guide) link feature, which the server automatically fetches on each EPG page visit. This enables attackers to scan internal networks, access cloud metadata services, and interact with internal services without the authentication or complexity barriers normally present in network-based attacks. No public exploit code identified at time of analysis.
WWBN AVideo versions 26.0 and prior allow authenticated uploaders to bypass content moderation by directly setting video status to active via an unvalidated overrideStatus parameter, circumventing admin-controlled review workflows. The vulnerability affects any user with upload permissions and has a CVSS score of 4.3 (low-to-moderate severity) with no public exploit code identified at time of analysis.
Stored cross-site scripting (XSS) in WWBN AVideo versions 26.0 and prior allows authenticated attackers to execute arbitrary JavaScript in the browsers of online users without any victim interaction. An attacker with a user account can set their display name to an XSS payload; when they initiate a call via the YPTSocket plugin, the caller notification rendered by the jQuery Toast Plugin executes the malicious script in every connected user's browser, enabling session hijacking, credential theft, or further compromise. CVSS 6.4 reflects moderate complexity due to authentication requirement and limited direct impact scope.
SQL injection in WWBN AVideo versions up to 26.0 allows unauthenticated remote attackers to extract sensitive database contents and modify data through the RTMP publish authentication stream key validation mechanism. The vulnerability (CVSS 9.1 Critical) arises from unsanitized string interpolation in Live_schedule::keyExists() fallback logic, affecting the open-source video platform's live streaming infrastructure. No vendor-released patch identified at time of analysis, and no public exploit identified at time of analysis.
WWBN AVideo up to version 26.0 fails to enforce password verification on API endpoints `get_api_video_file` and `get_api_video`, allowing unauthenticated remote attackers to retrieve direct playback URLs (MP4 files and HLS manifests) for password-protected videos by directly invoking the API. The web interface enforces password checks through the `CustomizeUser::getModeYouTube()` hook, but this validation is entirely absent from the API code path, creating a complete authentication bypass. Upstream fix available via commit be344206f2f461c034ad2f1c5d8212dd8a52b8c7; no public exploit or active exploitation confirmed at time of analysis.
WWBN AVideo versions up to and including 26.0 contain a stored cross-site scripting (XSS) vulnerability in the user profile "about" field caused by improper sanitization order of operations. Any registered user can inject arbitrary JavaScript that executes when other users visit their channel page, allowing attackers to steal session cookies, perform actions on behalf of victims, or redirect users to malicious sites. A patch is available via commit 7cfdc380dae1e56bbb5de581470d9e9957445df0, and the vulnerability has been formally disclosed through GitHub Security Advisory GHSA-ghx5-7jjg-q2j7.
WWBN AVideo versions up to and including 26.0 contain a command injection vulnerability in the restreamer endpoint that allows authenticated attackers to execute arbitrary commands on the server. The vulnerability stems from unsanitized user input (users_id and liveTransmitionHistory_id parameters) being embedded directly into shell commands via exec(). With a CVSS score of 8.8, this critical vulnerability requires low attack complexity and low privileges, enabling complete system compromise including data theft, modification, and denial of service.
WWBN AVideo is an open source video platform. versions up to 25.0 is affected by missing authentication for critical function.
Memcached session storage exposure in AVideo prior to version 24.0 allows unauthenticated remote attackers to read, modify, or delete user sessions by accessing the publicly exposed memcached service on port 11211. An attacker with network access to this port can hijack admin accounts, impersonate users, or destroy all active sessions without any authentication. This affects the official Docker deployment configuration for PHP, Docker, and AVideo products.
Unauthenticated administrators in WWBN AVideo versions before 24.0 can achieve remote code execution by uploading malicious ZIP files through the plugin upload functionality, which extracts files without proper validation into web-accessible directories. This allows attackers to execute arbitrary PHP code on the server with high impact to confidentiality, integrity, and availability. No patch is currently available for affected PHP installations using vulnerable AVideo versions.
Unauthenticated SQL injection in AVideo before 24.0.
Server-side request forgery in AVideo prior to version 22.0 allows authenticated users to make arbitrary outbound requests from the affected server via an unvalidated downloadURL parameter in the aVideoEncoder.json.php endpoint. An attacker can exploit this to probe internal network services, access metadata endpoints, and retrieve sensitive data, potentially leading to further system compromise. This affects PHP deployments running vulnerable AVideo versions.
Avideo versions prior to 21.0 allow authenticated attackers to inject malicious JavaScript through improperly sanitized Markdown links in video comments, enabling session hijacking, privilege escalation, and data theft when victims click the links. The vulnerability stems from unsafe Parsedown configuration that fails to block javascript: URI schemes. A patch is available in version 21.0.
Avideo versions up to 8.1 contains a vulnerability that allows attackers to enumerate user details through the playlistsFromUser (CVSS 7.5).
Avideo versions up to 8.1 is affected by weak password recovery mechanism for forgotten password (CVSS 5.3).
AVideo Platform 8.1 contains a cross-site request forgery vulnerability that allows attackers to reset user passwords by exploiting the password recovery mechanism. [CVSS 5.3 MEDIUM]
WWBN AVideo 12.4 is vulnerable to Cross Site Scripting (XSS). Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
An issue in WWBN AVideo v.12.4 through v.14.2 allows a remote attacker to execute arbitrary code via the systemRootPath parameter of the submitIndex.php component. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A recovery notification bypass vulnerability exists in the userRecoverPass.php captcha validation functionality of WWBN AVideo dev master commit 15fed957fb. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
An information disclosure vulnerability exists in the aVideoEncoderReceiveImage.json.php image upload functionality of WWBN AVideo dev master commit 15fed957fb. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
An information disclosure vulnerability exists in the aVideoEncoderReceiveImage.json.php image upload functionality of WWBN AVideo dev master commit 15fed957fb. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
An information disclosure vulnerability exists in the aVideoEncoderReceiveImage.json.php image upload functionality of WWBN AVideo dev master commit 15fed957fb. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
A login attempt restriction bypass vulnerability exists in the checkLoginAttempts functionality of WWBN AVideo dev master commit 15fed957fb. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
An information disclosure vulnerability exists in the image404Raw.php functionality of WWBN AVideo dev master commit 15fed957fb. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A unrestricted php file upload vulnerability exists in the import.json.php temporary copy functionality of WWBN AVideo dev master commit 15fed957fb. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
An insufficient entropy vulnerability exists in the salt generation functionality of WWBN AVideo dev master commit 15fed957fb. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
An insufficient entropy vulnerability exists in the userRecoverPass.php recoverPass generation functionality of WWBN AVideo dev master commit 15fed957fb. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
A cross-site scripting (xss) vulnerability exists in the navbarMenuAndLogo.php user name functionality of WWBN AVideo dev master commit 15fed957fb. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable. No vendor patch available.
A cross-site scripting (xss) vulnerability exists in the functiongetOpenGraph videoName functionality of WWBN AVideo 11.6 and dev master commit 3c6bb3ff. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 17.4%.
A local file inclusion vulnerability exists in the getLanguageFromBrowser functionality of WWBN AVideo dev master commit 15fed957fb. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A cross-site scripting (xss) vulnerability exists in the channelBody.php user name functionality of WWBN AVideo 11.6 and dev master commit 15fed957fb. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
An information disclosure vulnerability exists in the aVideoEncoder.json.php chunkFile path functionality of WWBN AVideo 11.6 and dev master commit 15fed957fb. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
WWBN AVideo is an open source video platform. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
WWBN AVideo is an open source video platform. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
AVideo is an open source video platform. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Cross Site Scripting (XSS) vulnerability in World Wide Broadcast Network AVideo before 12.4, allows attackers to gain sensitive information via the success parameter to /user. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
OS injection vulnerability in World Wide Broadcast Network AVideo version before 12.4, allows attackers to execute arbitrary code via the video link field to the Embed a video link feature. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A sql injection vulnerability exists in the ObjectYPT functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A sql injection vulnerability exists in the ObjectYPT functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A sql injection vulnerability exists in the ObjectYPT functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A sql injection vulnerability exists in the ObjectYPT functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
An information disclosure vulnerability exists in the cookie functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
An information disclosure vulnerability exists in the cookie functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A cross-site scripting (xss) vulnerability exists in the footer alerts functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A cross-site scripting (xss) vulnerability exists in the footer alerts functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A cross-site scripting (xss) vulnerability exists in the footer alerts functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Multiple authentication bypass vulnerabilities exist in the objects id handling functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable. No vendor patch available.
Multiple authentication bypass vulnerabilities exist in the objects id handling functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. Rated medium severity (CVSS 4.2), this vulnerability is remotely exploitable. No vendor patch available.
An information disclosure vulnerability exists in the aVideoEncoderReceiveImage functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
An os command injection vulnerability exists in the aVideoEncoder wget functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
An improper password check exists in the login functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
A cross-site scripting (xss) vulnerability exists in the image403 functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A privilege escalation vulnerability exists in the session id functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A directory traversal vulnerability exists in the unzipDirectory functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
An OS command injection vulnerability exists in the aVideoEncoder chunkfile functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A cross-site request forgery (CSRF) vulnerability exists in WWBN AVideo 11.6 and dev master commit 3f7c0364. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A cross-site scripting (xss) vulnerability exists in the videoAddNew functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
An information disclosure vulnerability exists in the chunkFile functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
A reflected cross-site scripting (xss) vulnerability exists in the charts tab selection functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Open redirect vulnerability in objects/login.json.php in WWBN AVideo through 11.6, allows attackers to arbitrarily redirect users from a crafted url to the login page. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Cross Site Scripting (XSS) vulnerability in objects/function.php in function getDeviceID in WWBN AVideo through 11.6, via the yptDevice parameter to view/include/head.php. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
AVideo Platform is an open-source Audio and Video platform. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
There was a local file disclosure vulnerability in AVideo < 8.9 via the proxy streaming. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
The import.json.php file before 8.9 for Avideo is vulnerable to a File Deletion vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.
Stored DOM cross-site scripting in WWBN AVideo's YPTSocket plugin (all versions prior to 29.0) lets any unauthenticated remote attacker run arbitrary JavaScript in the browser session of any administrator viewing the YPTSocket online-users debug panel. Because the malicious WebSocket metadata is broadcast to every connected client and rendered without escaping, a single anonymous WebSocket connection can be escalated into full administrative account takeover via the admin's own session and CSRF token. No public exploit identified at time of analysis; the flaw carries a CVSS 9.6 (Critical) rating driven by the scope change into the privileged admin origin.
Stored cross-site scripting in AVideo's TopMenu plugin through version 26.0 allows payload execution for every site visitor due to unescaped rendering of icon classes, URLs, and text labels across multiple PHP templates. Critically, the saving endpoint (`menuItemSave.json.php`) lacks CSRF token validation despite checking for admin status, enabling a full CSRF-to-stored-XSS chain: an attacker with no account can inject the malicious menu item by luring an authenticated admin to an attacker-controlled page. Publicly available exploit code exists (GHSA-gmpc-fxg2-vcmq); no vendor-released patch has been identified at time of analysis.
Unauthenticated PGP decryption exposure in AVideo through version 25.0 allows any remote attacker to submit private key material, ciphertext, and passphrases to the publicly accessible decryptMessage.json.php endpoint and receive plaintext in the server response - no credentials, session, or token required. The dual impact is confidentiality loss (private key material processed in server memory may be captured in application or web server logs) and availability degradation via unconstrained CPU consumption from repeated cryptographic operations. A publicly available proof-of-concept exists per the GHSA advisory; no vendor patch has been released as of this analysis.
Authorization bypass in AVideo's Meet plugin (versions through 29.0) lets remote attackers hijack arbitrary user sessions, including admin, by abusing the uploadRecordedVideo.json.php endpoint which derives the target users_id from a caller-controlled filename and then invokes the passwordless User->login() path. Exploitation requires the Meet shared secret, but that secret is a deterministic MD5 of values from configuration.php and is recoverable via known path-traversal flaws or timing attacks against checkToken.json.php. No public exploit identified at time of analysis, though the VulnCheck and GHSA advisories document the attack with code-level precision.
Full-read SSRF in AVideo through version 27.0 allows authenticated administrators to make the server fetch arbitrary URLs via the statsURL parameter in plugin/Live/test.php, including cloud metadata endpoints and internal network services. The endpoint bypasses the codebase's own isSSRFSafeURL() guard - used in seven other endpoints - and returns full response bodies in the HTML output, enabling retrieval of IAM credentials from cloud metadata services such as 169.254.169.254, internal service data, and network configuration details. No public exploit code has been formally labeled as proof-of-concept, but the GHSA advisory discloses the complete vulnerable code path with all three sink functions (file_get_contents, curl_exec, wget), making exploitation trivial for any party who has read the advisory.
Unauthenticated information disclosure in AVideo through 26.0 exposes payment transaction records via multiple list.json.php endpoints in the PayPalYPT, AuthorizeNet, and BTCPayments plugins that lack User::isAdmin() authorization checks. Remote attackers can issue direct GET requests to harvest PayPal billing agreement IDs, Express Checkout tokens, Authorize.Net webhook payloads, and Bitcoin transaction records without credentials. No public exploit identified at time of analysis, but the GHSA advisory from WWBN/AVideo and VulnCheck disclosure provide full endpoint paths sufficient for trivial reproduction.
Stored cross-site scripting in WWBN AVideo 29.0 and earlier allows an authenticated low-privilege user with category creation or editing rights to persist malicious JavaScript in category descriptions, which executes in any victim's browser upon viewing the Gallery or affected category page. The scope-changed CVSS vector (S:C) reflects that the injected payload crosses from the attacker's session into other users' browser contexts, enabling session hijacking or unauthorized actions on victims' behalf. No public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the low-complexity, network-accessible attack path warrants prompt access control review on affected deployments.
WWBN AVideo is an open source video platform. In versions 29.0 and below, the incomplete XSS fix in AVideo's `ParsedownSafeWithLinks` class overrides `inlineMarkup` for raw HTML but does not override `inlineLink()` or `inlineUrlTag()`, allowing `javascript:` URLs in markdown link syntax to bypass sanitization. Commit cae8f0dadbdd962c89b91d0095c76edb8aadcacf contains an updated fix.
WWBN AVideo is an open source video platform. In versions 29.0 and below, the incomplete fix for AVideo's CloneSite `deleteDump` parameter does not apply path traversal filtering, allowing `unlink()` of arbitrary files via `../../` sequences in the GET parameter. Commit 3c729717c26f160014a5c86b0b6accdbd613e7b2 contains an updated fix.
WWBN AVideo is an open source video platform. In versions 29.0 and below, an incomplete SSRF fix in AVideo's LiveLinks proxy adds `isSSRFSafeURL()` validation but leaves DNS TOCTOU vulnerabilities where DNS rebinding between validation and the actual HTTP request redirects traffic to internal endpoints. Commit 8d8fc0cadb425835b4861036d589abcea4d78ee8 contains an updated fix.
WWBN AVideo is an open source video platform. In versions 29.0 and prior, the YPTSocket plugin's WebSocket server relays attacker-supplied JSON message bodies to every connected client without sanitizing the `msg` or `callback` fields. On the client side, `plugin/YPTSocket/script.js` contains two `eval()` sinks fed directly by those relayed fields (`json.msg.autoEvalCodeOnHTML` at line 568 and `json.callback` at line 95). Because tokens are minted for anonymous visitors and never revalidated beyond decryption, an unauthenticated attacker can broadcast arbitrary JavaScript that executes in the origin of every currently-connected user (including administrators), resulting in universal account takeover, session theft, and privileged action execution. Commit c08694bf6264eb4decceb78c711baee2609b4efd contains a fix.
Stored SSRF in WWBN AVideo 26.0 and prior allows authenticated streamers with low-privilege streaming permissions to store arbitrary callback URLs in the live restream log feature, triggering server-side requests to internal or loopback HTTP services. The vulnerability affects all versions up to and including 26.0; exploitation requires valid streaming credentials but no user interaction. No public exploit code has been identified, though a proof-of-concept exists per CISA SSVC data.
Stored cross-site scripting (XSS) in WWBN AVideo 26.0 and prior allows authenticated users with upload permissions to inject malicious JavaScript into EPG (Electronic Program Guide) XML files, which executes in the browsers of unauthenticated visitors to the public EPG page without sanitization. Attackers can exploit this to hijack sessions and takeover accounts of any user viewing the compromised EPG. No public exploit code or active exploitation has been confirmed at the time of analysis.
Stored server-side request forgery (SSRF) in WWBN AVideo 26.0 and prior allows authenticated users with upload permissions to inject arbitrary URLs into the EPG (Electronic Program Guide) link feature, which the server automatically fetches on each EPG page visit. This enables attackers to scan internal networks, access cloud metadata services, and interact with internal services without the authentication or complexity barriers normally present in network-based attacks. No public exploit code identified at time of analysis.
WWBN AVideo versions 26.0 and prior allow authenticated uploaders to bypass content moderation by directly setting video status to active via an unvalidated overrideStatus parameter, circumventing admin-controlled review workflows. The vulnerability affects any user with upload permissions and has a CVSS score of 4.3 (low-to-moderate severity) with no public exploit code identified at time of analysis.
Stored cross-site scripting (XSS) in WWBN AVideo versions 26.0 and prior allows authenticated attackers to execute arbitrary JavaScript in the browsers of online users without any victim interaction. An attacker with a user account can set their display name to an XSS payload; when they initiate a call via the YPTSocket plugin, the caller notification rendered by the jQuery Toast Plugin executes the malicious script in every connected user's browser, enabling session hijacking, credential theft, or further compromise. CVSS 6.4 reflects moderate complexity due to authentication requirement and limited direct impact scope.
SQL injection in WWBN AVideo versions up to 26.0 allows unauthenticated remote attackers to extract sensitive database contents and modify data through the RTMP publish authentication stream key validation mechanism. The vulnerability (CVSS 9.1 Critical) arises from unsanitized string interpolation in Live_schedule::keyExists() fallback logic, affecting the open-source video platform's live streaming infrastructure. No vendor-released patch identified at time of analysis, and no public exploit identified at time of analysis.
WWBN AVideo up to version 26.0 fails to enforce password verification on API endpoints `get_api_video_file` and `get_api_video`, allowing unauthenticated remote attackers to retrieve direct playback URLs (MP4 files and HLS manifests) for password-protected videos by directly invoking the API. The web interface enforces password checks through the `CustomizeUser::getModeYouTube()` hook, but this validation is entirely absent from the API code path, creating a complete authentication bypass. Upstream fix available via commit be344206f2f461c034ad2f1c5d8212dd8a52b8c7; no public exploit or active exploitation confirmed at time of analysis.
WWBN AVideo versions up to and including 26.0 contain a stored cross-site scripting (XSS) vulnerability in the user profile "about" field caused by improper sanitization order of operations. Any registered user can inject arbitrary JavaScript that executes when other users visit their channel page, allowing attackers to steal session cookies, perform actions on behalf of victims, or redirect users to malicious sites. A patch is available via commit 7cfdc380dae1e56bbb5de581470d9e9957445df0, and the vulnerability has been formally disclosed through GitHub Security Advisory GHSA-ghx5-7jjg-q2j7.
WWBN AVideo versions up to and including 26.0 contain a command injection vulnerability in the restreamer endpoint that allows authenticated attackers to execute arbitrary commands on the server. The vulnerability stems from unsanitized user input (users_id and liveTransmitionHistory_id parameters) being embedded directly into shell commands via exec(). With a CVSS score of 8.8, this critical vulnerability requires low attack complexity and low privileges, enabling complete system compromise including data theft, modification, and denial of service.
WWBN AVideo is an open source video platform. versions up to 25.0 is affected by missing authentication for critical function.
Memcached session storage exposure in AVideo prior to version 24.0 allows unauthenticated remote attackers to read, modify, or delete user sessions by accessing the publicly exposed memcached service on port 11211. An attacker with network access to this port can hijack admin accounts, impersonate users, or destroy all active sessions without any authentication. This affects the official Docker deployment configuration for PHP, Docker, and AVideo products.
Unauthenticated administrators in WWBN AVideo versions before 24.0 can achieve remote code execution by uploading malicious ZIP files through the plugin upload functionality, which extracts files without proper validation into web-accessible directories. This allows attackers to execute arbitrary PHP code on the server with high impact to confidentiality, integrity, and availability. No patch is currently available for affected PHP installations using vulnerable AVideo versions.
Unauthenticated SQL injection in AVideo before 24.0.
Server-side request forgery in AVideo prior to version 22.0 allows authenticated users to make arbitrary outbound requests from the affected server via an unvalidated downloadURL parameter in the aVideoEncoder.json.php endpoint. An attacker can exploit this to probe internal network services, access metadata endpoints, and retrieve sensitive data, potentially leading to further system compromise. This affects PHP deployments running vulnerable AVideo versions.
Avideo versions prior to 21.0 allow authenticated attackers to inject malicious JavaScript through improperly sanitized Markdown links in video comments, enabling session hijacking, privilege escalation, and data theft when victims click the links. The vulnerability stems from unsafe Parsedown configuration that fails to block javascript: URI schemes. A patch is available in version 21.0.
Avideo versions up to 8.1 contains a vulnerability that allows attackers to enumerate user details through the playlistsFromUser (CVSS 7.5).
Avideo versions up to 8.1 is affected by weak password recovery mechanism for forgotten password (CVSS 5.3).
AVideo Platform 8.1 contains a cross-site request forgery vulnerability that allows attackers to reset user passwords by exploiting the password recovery mechanism. [CVSS 5.3 MEDIUM]
WWBN AVideo 12.4 is vulnerable to Cross Site Scripting (XSS). Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
An issue in WWBN AVideo v.12.4 through v.14.2 allows a remote attacker to execute arbitrary code via the systemRootPath parameter of the submitIndex.php component. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A recovery notification bypass vulnerability exists in the userRecoverPass.php captcha validation functionality of WWBN AVideo dev master commit 15fed957fb. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
An information disclosure vulnerability exists in the aVideoEncoderReceiveImage.json.php image upload functionality of WWBN AVideo dev master commit 15fed957fb. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
An information disclosure vulnerability exists in the aVideoEncoderReceiveImage.json.php image upload functionality of WWBN AVideo dev master commit 15fed957fb. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
An information disclosure vulnerability exists in the aVideoEncoderReceiveImage.json.php image upload functionality of WWBN AVideo dev master commit 15fed957fb. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
A login attempt restriction bypass vulnerability exists in the checkLoginAttempts functionality of WWBN AVideo dev master commit 15fed957fb. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
An information disclosure vulnerability exists in the image404Raw.php functionality of WWBN AVideo dev master commit 15fed957fb. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A unrestricted php file upload vulnerability exists in the import.json.php temporary copy functionality of WWBN AVideo dev master commit 15fed957fb. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
An insufficient entropy vulnerability exists in the salt generation functionality of WWBN AVideo dev master commit 15fed957fb. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
An insufficient entropy vulnerability exists in the userRecoverPass.php recoverPass generation functionality of WWBN AVideo dev master commit 15fed957fb. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
A cross-site scripting (xss) vulnerability exists in the navbarMenuAndLogo.php user name functionality of WWBN AVideo dev master commit 15fed957fb. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable. No vendor patch available.
A cross-site scripting (xss) vulnerability exists in the functiongetOpenGraph videoName functionality of WWBN AVideo 11.6 and dev master commit 3c6bb3ff. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 17.4%.
A local file inclusion vulnerability exists in the getLanguageFromBrowser functionality of WWBN AVideo dev master commit 15fed957fb. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A cross-site scripting (xss) vulnerability exists in the channelBody.php user name functionality of WWBN AVideo 11.6 and dev master commit 15fed957fb. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
An information disclosure vulnerability exists in the aVideoEncoder.json.php chunkFile path functionality of WWBN AVideo 11.6 and dev master commit 15fed957fb. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
WWBN AVideo is an open source video platform. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
WWBN AVideo is an open source video platform. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
AVideo is an open source video platform. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Cross Site Scripting (XSS) vulnerability in World Wide Broadcast Network AVideo before 12.4, allows attackers to gain sensitive information via the success parameter to /user. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
OS injection vulnerability in World Wide Broadcast Network AVideo version before 12.4, allows attackers to execute arbitrary code via the video link field to the Embed a video link feature. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A sql injection vulnerability exists in the ObjectYPT functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A sql injection vulnerability exists in the ObjectYPT functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A sql injection vulnerability exists in the ObjectYPT functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A sql injection vulnerability exists in the ObjectYPT functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
An information disclosure vulnerability exists in the cookie functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
An information disclosure vulnerability exists in the cookie functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A cross-site scripting (xss) vulnerability exists in the footer alerts functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A cross-site scripting (xss) vulnerability exists in the footer alerts functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A cross-site scripting (xss) vulnerability exists in the footer alerts functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Multiple authentication bypass vulnerabilities exist in the objects id handling functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable. No vendor patch available.
Multiple authentication bypass vulnerabilities exist in the objects id handling functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. Rated medium severity (CVSS 4.2), this vulnerability is remotely exploitable. No vendor patch available.
An information disclosure vulnerability exists in the aVideoEncoderReceiveImage functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
An os command injection vulnerability exists in the aVideoEncoder wget functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
An improper password check exists in the login functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
A cross-site scripting (xss) vulnerability exists in the image403 functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A privilege escalation vulnerability exists in the session id functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A directory traversal vulnerability exists in the unzipDirectory functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
An OS command injection vulnerability exists in the aVideoEncoder chunkfile functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A cross-site request forgery (CSRF) vulnerability exists in WWBN AVideo 11.6 and dev master commit 3f7c0364. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A cross-site scripting (xss) vulnerability exists in the videoAddNew functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
An information disclosure vulnerability exists in the chunkFile functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
A reflected cross-site scripting (xss) vulnerability exists in the charts tab selection functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Open redirect vulnerability in objects/login.json.php in WWBN AVideo through 11.6, allows attackers to arbitrarily redirect users from a crafted url to the login page. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Cross Site Scripting (XSS) vulnerability in objects/function.php in function getDeviceID in WWBN AVideo through 11.6, via the yptDevice parameter to view/include/head.php. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
AVideo Platform is an open-source Audio and Video platform. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
There was a local file disclosure vulnerability in AVideo < 8.9 via the proxy streaming. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
The import.json.php file before 8.9 for Avideo is vulnerable to a File Deletion vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.