SB20260408175 - Multiple vulnerabilities in AVideo

Security Bulletin ID SB20260408175

CSH Severity

Medium

Patch available

YES

Number of vulnerabilities 11

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 11 vulnerabilities.

1) Cleartext storage of sensitive information (CVE-ID: CVE-2026-33867)

CWE-ID: CWE-312 - Cleartext Storage of Sensitive Information

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to cleartext storage of sensitive information in objects/video.php when storing and checking video passwords. A remote attacker can obtain read access to the database to disclose sensitive information.

Passwords for protected videos are stored and compared in plaintext, and exposure can occur through database reads such as SQL injection, backup disclosure, or misconfigured access controls.

2) Cross-site request forgery (CVE-ID: CVE-2026-34613)

CWE-ID: CWE-352 - Cross-Site Request Forgery (CSRF)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to disable security plugins.

The vulnerability exists due to improper access control in the plugin enable/disable endpoint when handling cross-site requests. A remote attacker can trick the victim into sending a crafted request to disable security plugins.

User interaction is required for exploitation.

3) Cross-site request forgery (CVE-ID: CVE-2026-34611)

CWE-ID: CWE-352 - Cross-Site Request Forgery (CSRF)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to send phishing email to all users.

The vulnerability exists due to missing cross-site request forgery protection in emailAllUsers.json.php when handling requests to send email to all users. A remote attacker can trick a victim into submitting a crafted request to send phishing email to all users.

User interaction is required.

4) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CVE-ID: CVE-2026-34739)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to execute arbitrary script code in the victim's browser.

The vulnerability exists due to cross-site scripting in testIP.php when handling the ip parameter. A remote attacker can send a specially crafted link to execute arbitrary script code in the victim's browser.

User interaction is required to open a crafted link.

5) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CVE-ID: N/A)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to execute arbitrary script code in a victim's browser.

The vulnerability exists due to improper neutralization of input during web page generation in TopMenu plugin menu item fields when rendering stored menu item content. A remote attacker can inject a specially crafted script payload to execute arbitrary script code in a victim's browser.

User interaction is required for a victim to view the affected content.

6) Cross-site request forgery (CVE-ID: CVE-2026-35181)

CWE-ID: CWE-352 - Cross-Site Request Forgery (CSRF)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote attacker to modify player skin configuration.

The vulnerability exists due to improper request validation in admin/playerUpdate.json.php when handling crafted cross-site requests. A remote attacker can trick a victim into submitting a crafted request to modify player skin configuration.

User interaction is required to trigger the request.

7) Cross-site request forgery (CVE-ID: CVE-2026-35180)

CWE-ID: CWE-352 - Cross-Site Request Forgery (CSRF)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote attacker to overwrite the site logo.

The vulnerability exists due to cross-site request forgery in the site customization endpoint when handling crafted requests from a victim's browser. A remote attacker can trick a victim into submitting a specially crafted request to overwrite the site logo.

User interaction is required to trigger the crafted request.

8) Cross-site scripting (CVE-ID: CVE-2026-33500)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear

The vulnerability allows a remote user to execute arbitrary script in a victim's browser.

The vulnerability exists due to cross-site scripting in comment markdown link processing when rendering markdown links containing a javascript: URI. A remote user can post a specially crafted comment containing a markdown link to execute arbitrary script in a victim's browser.

User interaction is required because the victim must click the rendered link.

9) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2026-33502)

CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber

The vulnerability allows a remote attacker to send server-side requests to arbitrary URLs and disclose sensitive information.

The vulnerability exists due to server-side request forgery (SSRF) in plugin/Live/test.php when handling the statsURL request parameter. A remote attacker can send a specially crafted request to send server-side requests to arbitrary URLs and disclose sensitive information.

The issue can be used to probe localhost and internal network services, including reachable cloud metadata endpoints, and reflected upstream content or errors may be returned to the client.

10) Missing Authorization (CVE-ID: CVE-2026-33501)

CWE-ID: CWE-862 - Missing Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to missing authorization in plugin/Permissions/View/Users_groups_permissions/list.json.php when handling direct requests to the permissions listing endpoint. A remote attacker can send a request to retrieve the complete permission matrix mapping user groups to plugins and disclose sensitive information.

The endpoint returns JSON data from the users_groups_permissions table, including group IDs, plugin IDs, permission types, and active or inactive status.

11) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2026-39370)

CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to disclose sensitive information from internal services.

The vulnerability exists due to server-side request forgery in objects/aVideoEncoder.json.php when processing attacker-controlled downloadURL values with allowlisted media or archive extensions. A remote user can submit a crafted downloadURL to disclose sensitive information from internal services.

The fetched response is stored as media content and later retrievable through the generated media URL.

Remediation

Install update from vendor's website.

SB20260408175 - Multiple vulnerabilities in AVideo

Breakdown by Severity

Description

Remediation

References

Please verify you're human