SB20260408175 - Multiple vulnerabilities in AVideo

Security Bulletin ID SB20260408175

Severity

Medium

Patch available

YES

Number of vulnerabilities 7

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 7 secuirty vulnerabilities.

1) Cleartext storage of sensitive information (CVE-ID: CVE-2026-33867)

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to cleartext storage of sensitive information in objects/video.php when storing and checking video passwords. A remote attacker can obtain read access to the database to disclose sensitive information.

Passwords for protected videos are stored and compared in plaintext, and exposure can occur through database reads such as SQL injection, backup disclosure, or misconfigured access controls.

2) Cross-site request forgery (CVE-ID: CVE-2026-34613)

The vulnerability allows a remote attacker to disable security plugins.

The vulnerability exists due to improper access control in the plugin enable/disable endpoint when handling cross-site requests. A remote attacker can trick the victim into sending a crafted request to disable security plugins.

User interaction is required for exploitation.

3) Cross-site request forgery (CVE-ID: CVE-2026-34611)

The vulnerability allows a remote attacker to send phishing email to all users.

The vulnerability exists due to missing cross-site request forgery protection in emailAllUsers.json.php when handling requests to send email to all users. A remote attacker can trick a victim into submitting a crafted request to send phishing email to all users.

User interaction is required.

4) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CVE-ID: CVE-2026-34739)

The vulnerability allows a remote attacker to execute arbitrary script code in the victim's browser.

The vulnerability exists due to cross-site scripting in testIP.php when handling the ip parameter. A remote attacker can send a specially crafted link to execute arbitrary script code in the victim's browser.

User interaction is required to open a crafted link.

5) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CVE-ID: N/A)

The vulnerability allows a remote attacker to execute arbitrary script code in a victim's browser.

The vulnerability exists due to improper neutralization of input during web page generation in TopMenu plugin menu item fields when rendering stored menu item content. A remote attacker can inject a specially crafted script payload to execute arbitrary script code in a victim's browser.

User interaction is required for a victim to view the affected content.

6) Cross-site request forgery (CVE-ID: CVE-2026-35181)

The vulnerability allows a remote attacker to modify player skin configuration.

The vulnerability exists due to improper request validation in admin/playerUpdate.json.php when handling crafted cross-site requests. A remote attacker can trick a victim into submitting a crafted request to modify player skin configuration.

User interaction is required to trigger the request.

7) Cross-site request forgery (CVE-ID: CVE-2026-35180)

The vulnerability allows a remote attacker to overwrite the site logo.

The vulnerability exists due to cross-site request forgery in the site customization endpoint when handling crafted requests from a victim's browser. A remote attacker can trick a victim into submitting a specially crafted request to overwrite the site logo.

User interaction is required to trigger the crafted request.

Remediation

Install update from vendor's website.

SB20260408175 - Multiple vulnerabilities in AVideo

Breakdown by Severity

Description

Remediation

References

Please verify you're human