SB2026050468 - Multiple vulnerabilities in AVideo

Description

This security bulletin contains information about 5 vulnerabilities.

1) Authorization bypass through user-controlled key (CVE-ID: CVE-2026-33297)

CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to bypass channel-level access control and disclose protected content.

The vulnerability exists due to improper access control in the setPassword.json.php endpoint of the CustomizeUser plugin when processing administrator-supplied ProfilePassword values for another user's channel. A remote privileged user can submit a non-numeric password for another user's channel to bypass channel-level access control and disclose protected content.

Any visitor who enters 0 as the channel password can access the affected channel content.

2) Open redirect (CVE-ID: CVE-2026-33296)

CWE-ID: CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to redirect users to an attacker-controlled site.

The vulnerability exists due to url redirection to an untrusted site in view/userLogin.php when processing a user-supplied redirectUri parameter during the login flow. A remote attacker can send a specially crafted login URL to redirect users to an attacker-controlled site.

User interaction is required to follow the crafted link and complete or dismiss the login popup before the redirect occurs.

3) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CVE-ID: CVE-2026-33295)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear

The vulnerability allows a remote user to execute arbitrary JavaScript in the browser of another user.

The vulnerability exists due to cross-site scripting in the CDN plugin downloadButtons.php component when rendering the user-supplied clean_title field into a JavaScript string literal on the download page. A remote user can create or modify a video with a specially crafted title to execute arbitrary JavaScript in the browser of another user.

User interaction is required, as a victim must visit the affected download page for the attacker-controlled video.

4) OS Command Injection (CVE-ID: CVE-2026-33319)

CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to execute arbitrary OS commands.

The vulnerability exists due to improper neutralization of special elements used in an OS command in the SocialMediaPublisher plugin uploadVideoToLinkedIn() method when processing a LinkedIn API upload URL in a shell command. A remote privileged user can influence the LinkedIn API response to inject shell metacharacters and execute arbitrary OS commands.

Exploitation requires control over the LinkedIn API response, such as through a compromised OAuth token, API compromise, or a man-in-the-middle condition affecting that trusted response.

5) Missing Authentication for Critical Function (CVE-ID: N/A)

CWE-ID: CWE-306 - Missing Authentication for Critical Function

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to disclose sensitive information and cause a denial of service.

The vulnerability exists due to missing authentication for a critical function in decryptMessage.json.php when handling PGP decryption requests. A remote attacker can send specially crafted decryption requests to disclose sensitive information and cause a denial of service.

Submitted private key material may be exposed in server memory or logging infrastructure depending on deployment configuration.

Remediation

Install update from vendor's website.

References

• https://github.com/WWBN/AVideo/security/advisories/GHSA-6547-8hrg-c55m
• https://github.com/WWBN/AVideo/security/advisories/GHSA-hj5h-5623-gwhw
• https://github.com/advisories/GHSA-hj5h-5623-gwhw
• https://github.com/WWBN/AVideo/security/advisories/GHSA-gc3m-4mcr-h3pv
• https://github.com/advisories/GHSA-gc3m-4mcr-h3pv
• https://github.com/WWBN/AVideo/security/advisories/GHSA-w5ff-2mjc-4phc
• https://github.com/advisories/GHSA-w5ff-2mjc-4phc
• https://github.com/WWBN/AVideo/security/advisories/GHSA-5x2w-37xf-7962
• https://github.com/advisories/GHSA-5x2w-37xf-7962