CVE-2020-37173
Information Disclosure in AVideo Platform 8.1 via Playlist Endpoint
Publication date: 2026-02-11
Last updated on: 2026-02-18
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wwbn | avideo | 8.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-359 | The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2020-37173 is an information disclosure vulnerability in AVideo Platform version 8.1 and earlier.
It allows unauthorized attackers to enumerate user details by exploiting the playlistsFromUser.json.php endpoint.
By manipulating the users_id parameter, attackers can retrieve sensitive user information such as email addresses, password hashes, and administrative status.
This vulnerability enables remote, unauthenticated attackers to access critical user data without any privileges or user interaction.
How can this vulnerability impact me? :
This vulnerability can lead to significant information disclosure risks.
- Attackers can obtain sensitive user information including email addresses, password hashes, and administrative status.
- Exposure of password hashes and recovery tokens can facilitate further attacks such as password cracking or account takeover.
- Unauthorized access to administrative status information can help attackers identify high-value targets within the system.
- Since the attack requires no privileges or user interaction, it can be performed remotely and anonymously.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by attempting to access the endpoint /objects/playlistsFromUser.json.php with different users_id parameter values and observing if sensitive user information is returned without authorization.'}, {'type': 'paragraph', 'content': 'A simple detection command using curl on a Linux system could be:'}, {'type': 'list_item', 'content': 'curl -v "http://<target-server>/objects/playlistsFromUser.json.php?users_id=1"'}, {'type': 'paragraph', 'content': 'If the response contains user details such as email, password hash, or admin status, it indicates the presence of the vulnerability.'}] [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the playlistsFromUser.json.php endpoint to authorized users only, for example by implementing authentication and authorization checks.
Additionally, updating the AVideo Platform to a version where this vulnerability is fixed or applying vendor-provided patches is recommended.
If patching is not immediately possible, consider blocking or filtering requests to the vulnerable endpoint at the network firewall or web application firewall level.