SB20260408173 - Multiple vulnerabilities in AVideo

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Exposure of Resource to Wrong Sphere (CVE-ID: CVE-2026-29093)

The vulnerability allows a remote attacker to read, modify, or flush session data.

The vulnerability exists due to exposure of resource to wrong sphere in the memcached service and PHP session store configuration when the published memcached port is reachable over the network. A remote attacker can connect to the exposed memcached service and issue memcached commands to read, alter, or delete session data.

Session data contains authentication state including user identifiers, admin flags, email addresses, and password hashes.

2) Insecure Default Initialization of Resource (CVE-ID: CVE-2026-33037)

The vulnerability allows a remote attacker to gain administrative access to the application.

The vulnerability exists due to insecure default initialization of resource in the official Docker deployment manifests and automated installer when deploying AVideo without overriding the default admin password. A remote attacker can log in with the predictable default admin credential to gain administrative access to the application.

Exploitation depends on deployments that retain the default SYSTEM_ADMIN_PASSWORD value during installation.

3) Missing Authentication for Critical Function (CVE-ID: CVE-2026-33038)

The vulnerability allows a remote attacker to gain full administrative access to the application.

The vulnerability exists due to missing authentication for critical function in install/checkConfiguration.php when processing unauthenticated POST requests on uninitialized deployments. A remote attacker can send a specially crafted POST request to gain full administrative access to the application.

Exploitation is possible only when the deployment is in an uninitialized state and videos/configuration.php does not yet exist.

4) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2026-33039)

The vulnerability allows a remote attacker to disclose sensitive information from internal services.

The vulnerability exists due to server-side request forgery (SSRF) in plugin/LiveLinks/proxy.php when processing a user-supplied URL that returns an HTTP redirect. A remote attacker can supply a crafted URL that redirects to an internal endpoint to disclose sensitive information from internal services.

The issue occurs because the redirect target is fetched without re-validation, and the returned response can include cloud metadata such as IAM credentials.

Remediation

Install update from vendor's website.

References

• https://github.com/WWBN/AVideo/security/advisories/GHSA-xxpw-32hf-q8v9
• https://github.com/WWBN/AVideo/security/advisories/GHSA-89rv-p523-6wg9
• https://github.com/WWBN/AVideo/security/advisories/GHSA-2f9h-23f7-8gcx
• https://github.com/WWBN/AVideo/security/advisories/GHSA-9x67-f2v7-63rw