SB2026050466 - Multiple vulnerabilities in AVideo

Description

This security bulletin contains information about 2 vulnerabilities.

1) Information disclosure (CVE-ID: CVE-2026-33043)

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber

The vulnerability allows a remote attacker to hijack a user's session and take over the account.

The vulnerability exists due to exposure of sensitive information to an unauthorized actor in /objects/phpsessionid.json.php when handling credentialed cross-origin requests. A remote attacker can host a crafted webpage that triggers a cross-origin request and reads the returned session ID to hijack a user's session and take over the account.

User interaction is required, and exploitation occurs when a logged-in user visits an attacker-controlled page.

2) Information disclosure (CVE-ID: CVE-2026-33041)

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to exposure of sensitive information to an unauthorized actor in objects/encryptPass.json.php when handling password hash requests. A remote attacker can submit arbitrary passwords to obtain their hashed equivalents to disclose sensitive information.

By default, salt is not enabled, making the returned hash deterministic and identical to what is stored in the database.

Remediation

Install update from vendor's website.

References

• https://github.com/WWBN/AVideo/security/advisories/GHSA-qc3p-398r-p59j
• https://github.com/advisories/GHSA-qc3p-398r-p59j
• https://github.com/WWBN/AVideo/security/advisories/GHSA-px7x-gq96-rmp5