CVE-2020-37173
Undergoing Analysis Undergoing Analysis - In Progress
Information Disclosure in AVideo Platform 8.1 via Playlist Endpoint

Publication date: 2026-02-11

Last updated on: 2026-02-18

Assigner: VulnCheck

Description
AVideo Platform 8.1 contains an information disclosure vulnerability that allows attackers to enumerate user details through the playlistsFromUser.json.php endpoint. Attackers can retrieve sensitive user information including email, password hash, and administrative status by manipulating the users_id parameter.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-11
Last Modified
2026-02-18
Generated
2026-06-16
AI Q&A
2026-02-11
EPSS Evaluated
2026-06-15
NVD
CVE-2020-37173
EUVD
EUVD-2020-31127
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wwbn avideo 8.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-359 The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2020-37173 is an information disclosure vulnerability in AVideo Platform version 8.1 and earlier.

It allows unauthorized attackers to enumerate user details by exploiting the playlistsFromUser.json.php endpoint.

By manipulating the users_id parameter, attackers can retrieve sensitive user information such as email addresses, password hashes, and administrative status.

This vulnerability enables remote, unauthenticated attackers to access critical user data without any privileges or user interaction.

Impact Analysis

This vulnerability can lead to significant information disclosure risks.

  • Attackers can obtain sensitive user information including email addresses, password hashes, and administrative status.
  • Exposure of password hashes and recovery tokens can facilitate further attacks such as password cracking or account takeover.
  • Unauthorized access to administrative status information can help attackers identify high-value targets within the system.
  • Since the attack requires no privileges or user interaction, it can be performed remotely and anonymously.
Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by attempting to access the endpoint /objects/playlistsFromUser.json.php with different users_id parameter values and observing if sensitive user information is returned without authorization.'}, {'type': 'paragraph', 'content': 'A simple detection command using curl on a Linux system could be:'}, {'type': 'list_item', 'content': 'curl -v "http://<target-server>/objects/playlistsFromUser.json.php?users_id=1"'}, {'type': 'paragraph', 'content': 'If the response contains user details such as email, password hash, or admin status, it indicates the presence of the vulnerability.'}] [2]

Mitigation Strategies

Immediate mitigation steps include restricting access to the playlistsFromUser.json.php endpoint to authorized users only, for example by implementing authentication and authorization checks.

Additionally, updating the AVideo Platform to a version where this vulnerability is fixed or applying vendor-provided patches is recommended.

If patching is not immediately possible, consider blocking or filtering requests to the vulnerable endpoint at the network firewall or web application firewall level.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2020-37173. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart