CVE-2020-37158
Undergoing Analysis Undergoing Analysis - In Progress

CSRF Vulnerability in AVideo 8.1 Enables Password Reset Abuse

Vulnerability report for CVE-2020-37158, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-02-11

Last updated on: 2026-02-20

Assigner: VulnCheck

Description

AVideo Platform 8.1 contains a cross-site request forgery vulnerability that allows attackers to reset user passwords by exploiting the password recovery mechanism. Attackers can craft malicious requests to the recoverPass endpoint using the user's recovery token to change account credentials without authentication.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-02-11
Last Modified
2026-02-20
Generated
2026-07-06
AI Q&A
2026-02-11
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
wwbn avideo 8.1

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-640 The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'The vulnerability in AVideo Platform 8.1 is a cross-site request forgery (CSRF) issue that targets the password recovery mechanism.'}, {'type': 'paragraph', 'content': "Attackers can exploit this by crafting malicious requests to the recoverPass endpoint using a user's recovery token, allowing them to reset user passwords without authentication."}, {'type': 'paragraph', 'content': "This means an attacker can change account credentials without the user's consent or knowledge."}] [2, 3]

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability can lead to unauthorized password resets, allowing attackers to take over user accounts.'}, {'type': 'paragraph', 'content': "Once an attacker resets a password, they can gain access to the affected user's account and potentially misuse it."}, {'type': 'paragraph', 'content': 'This compromises the integrity of user accounts and can lead to further unauthorized actions within the platform.'}] [2, 3]

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for unauthorized or suspicious requests to the password recovery endpoint (recoverPass) that include recovery tokens. Specifically, checking for crafted requests targeting the recoverPass endpoint using recovery tokens without proper authentication is key.'}, {'type': 'paragraph', 'content': 'One approach is to inspect web server logs for unusual POST or GET requests to URLs like recoverPass?user=[username]&recoverpass=[token].'}, {'type': 'paragraph', 'content': 'Commands to help detect this might include using tools like curl or wget to test the endpoint manually, or using grep to search logs for suspicious recoverPass requests.'}, {'type': 'list_item', 'content': "grep 'recoverPass' /var/log/apache2/access.log"}, {'type': 'list_item', 'content': "grep 'recoverpass=' /var/log/nginx/access.log"}, {'type': 'list_item', 'content': "curl -v 'http://[avideo-server]/recoverPass?user=admin&recoverpass=[token]'"}, {'type': 'paragraph', 'content': 'Additionally, monitoring for unexpected password reset activities or unusual user account changes can help detect exploitation attempts.'}] [2, 3]

Mitigation Strategies

Immediate mitigation steps include disabling or restricting access to the password recovery functionality until a patch or fix is applied.

Implement CSRF protections on the recoverPass endpoint to ensure that password reset requests require proper authentication and validation.

Ensure that recovery tokens are single-use, expire quickly, and are validated securely on the server side.

Monitor and audit password reset requests and user account changes for suspicious activity.

Upgrade to a patched version of AVideo Platform if available, or apply vendor-provided security updates addressing this vulnerability.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2020-37158. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart