SB20260428201 - Multiple vulnerabilities in AVideo
Published: April 28, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 7 vulnerabilities.
1) Authorization bypass through user-controlled key (CVE-ID: N/A)
CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/U:Clear
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to the IDOR issue in PayPalYPT agreementCancel.json.php. A remote user can cancel arbitrary PayPal subscription agreements.
2) CRLF injection (CVE-ID: N/A)
CWE-ID: CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/U:Clear
The vulnerability allows a remote attacker to inject arbitrary data in server response.
The vulnerability exists due to insufficient validation of attacker-supplied data in Scheduler downloadICS.php. A remote attacker can pass specially crafted data to the application containing CR-LF characters and modify application behavior.
3) Missing Authentication for Critical Function (CVE-ID: N/A)
CWE-ID: CWE-306 - Missing Authentication for Critical Function
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to missing authentication for critical function in "objects/users.json.php" within the "isCompany" parameter. A remote attacker can gain access to sensitive information on the system.
4) Improper Verification of Source of a Communication Channel (CVE-ID: N/A)
CWE-ID: CWE-940 - Improper Verification of Source of a Communication Channel
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/U:Green
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to improper verification of source of a communication channel within sendEmail.json.php. A remote attacker can send arbitrary email and perform phishing attack with the site's real sender identity.
5) Server-Side Request Forgery (SSRF) (CVE-ID: N/A)
CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/U:Clear
The disclosed vulnerability allows a remote attacker to perform SSRF attacks.
The vulnerability exists due to insufficient validation of user-supplied input in YPTWallet donation webhook within isSSRFSafeURL() function. A remote user can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems.
Successful exploitation of this vulnerability may allow a remote attacker gain access to sensitive data, located in the local network or send malicious requests to other servers from the vulnerable system.
6) Information disclosure (CVE-ID: N/A)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output by the application in objects/plugins.json.php. A remote attacker can read APISecret on the system.
7) Cross-site request forgery (CVE-ID: N/A)
CWE-ID: CWE-352 - Cross-Site Request Forgery (CSRF)
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P/U:Clear
The vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin in isSSRFSafeURL(). A remote user can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.
Remediation
Cybersecurity Help is not aware of any official remediation provided by the vendor.
References
- https://github.com/WWBN/AVideo/security/advisories/GHSA-958h-qp3x-q4gj
- https://github.com/WWBN/AVideo/security/advisories/GHSA-mwgh-92m2-wvhv
- https://github.com/WWBN/AVideo/security/advisories/GHSA-6rvw-7p8v-mjfq
- https://github.com/WWBN/AVideo/security/advisories/GHSA-5hgj-7gm9-cff5
- https://github.com/WWBN/AVideo/security/advisories/GHSA-wp38-whx3-xffh
- https://github.com/WWBN/AVideo/security/advisories/GHSA-xr49-f4rh-qcjf
- https://github.com/WWBN/AVideo/security/advisories/GHSA-2hch-c97c-g99x