Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-30885 is an Insecure Direct Object Reference (IDOR) vulnerability in the WWBN AVideo platform, specifically in the endpoint `/objects/playlistsFromUser.json.php`.'}, {'type': 'paragraph', 'content': 'Before version 25.0, this endpoint returns all playlists for any specified user ID without requiring authentication or authorization.'}, {'type': 'paragraph', 'content': 'This means an unauthenticated attacker can enumerate user IDs and retrieve playlist information such as playlist names, video IDs, and playlist status for any user on the platform.'}, {'type': 'paragraph', 'content': "The root cause is that the endpoint accepts a `users_id` parameter and directly queries the database without verifying if the requester is logged in or authorized to access that user's data."}, {'type': 'paragraph', 'content': 'No authentication checks like `User::isLogged()` or authorization checks are performed before returning playlist data.'}] [1]

Useful 0 Not Useful 0

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability can lead to several impacts including privacy violations, user enumeration, and information gathering.'}, {'type': 'list_item', 'content': "Privacy violations by exposing all users' playlist names and contents without consent."}, {'type': 'list_item', 'content': 'User enumeration by allowing attackers to discover valid user IDs on the platform.'}, {'type': 'list_item', 'content': 'Information gathering about user interests and private content preferences.'}, {'type': 'list_item', 'content': 'Enabling targeted attacks such as social engineering based on the exposed playlist data.'}] [1]

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by attempting to access the vulnerable endpoint `/objects/playlistsFromUser.json.php` with different user IDs without authentication and observing if playlist data is returned.'}, {'type': 'paragraph', 'content': 'A simple command to test this is using curl to request playlist data for a specific user ID, for example:'}, {'type': 'list_item', 'content': 'curl -X GET "http://your-avideo-instance/objects/playlistsFromUser.json.php?users_id=1"'}, {'type': 'paragraph', 'content': 'If the response returns playlist information such as playlist names, video IDs, and playlist status without requiring authentication, the system is vulnerable.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

[{'type': 'paragraph', 'content': 'Immediate mitigation involves implementing proper authentication and authorization checks on the `/objects/playlistsFromUser.json.php` endpoint.'}, {'type': 'list_item', 'content': 'Require users to be authenticated before accessing playlist data.'}, {'type': 'list_item', 'content': 'Restrict access so that users can only retrieve their own playlists unless they have administrative privileges.'}, {'type': 'list_item', 'content': 'Alternatively, if public playlists are intended to be accessible, filter the playlists to return only those marked as public.'}, {'type': 'paragraph', 'content': 'Example PHP code to enforce these checks is:'}, {'type': 'list_item', 'content': "if (!User::isLogged()) { die(json_encode(['error' => 'Authentication required'])); }"}, {'type': 'list_item', 'content': "if ($_GET['users_id'] != User::getId() && !User::isAdmin()) { die(json_encode(['error' => 'Access denied'])); }"}, {'type': 'paragraph', 'content': 'Applying the official patch that introduces a `$publicOnly` flag to restrict access to non-public playlists only to owners and admins is recommended as a permanent fix.'}] [1, 2]

Useful 0 Not Useful 0