Executive Summary

CVE-2026-33043 is a high-severity vulnerability in the WWBN AVideo open source video platform, affecting versions 25.0 and below. The vulnerability arises because the endpoint /objects/phpsessionid.json.php exposes the current PHP session ID to any unauthenticated request.

Additionally, the allowOrigin() function reflects any Origin header back in the Access-Control-Allow-Origin response header and sets Access-Control-Allow-Credentials to true. This combination allows malicious websites to perform credentialed cross-origin requests and steal session IDs.

An attacker can host a malicious webpage that fetches the session ID from the vulnerable endpoint when a logged-in user visits the page, enabling session theft and full account takeover.

Useful 0 Not Useful 0

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability can lead to complete account takeover of any logged-in user, including administrators.'}, {'type': 'paragraph', 'content': "An attacker who successfully exploits this issue can gain full access and control over the victim's account by stealing their PHP session ID through cross-origin requests."}, {'type': 'paragraph', 'content': 'The attack requires the victim to visit a malicious webpage controlled by the attacker, which then steals the session ID and allows impersonation with full privileges.'}] [2]

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if the endpoint /objects/phpsessionid.json.php exposes the current PHP session ID to unauthenticated requests and if the Access-Control-Allow-Origin header reflects arbitrary Origin headers with Access-Control-Allow-Credentials set to true.'}, {'type': 'paragraph', 'content': 'You can use curl commands to test the behavior of the endpoint and CORS headers.'}, {'type': 'list_item', 'content': 'Send a request to the vulnerable endpoint and observe if the session ID is returned without authentication: curl -i https://TARGET/objects/phpsessionid.json.php'}, {'type': 'list_item', 'content': 'Send a request with a custom Origin header and check if Access-Control-Allow-Origin reflects it with credentials allowed: curl -i -H "Origin: http://malicious.example.com" https://TARGET/objects/phpsessionid.json.php'}, {'type': 'list_item', 'content': 'Look for Access-Control-Allow-Credentials: true in the response headers combined with Access-Control-Allow-Origin reflecting the Origin header.'}] [2]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include upgrading WWBN AVideo to version 26.0 or later, where the vulnerability has been fixed.

If upgrading is not immediately possible, restrict access to the /objects/phpsessionid.json.php endpoint to trusted origins or authenticated users only.

Disable or tighten CORS policies to prevent reflecting arbitrary Origin headers with credentials enabled.

Specifically, ensure that the allowOrigin() function implements strict origin validation and does not reflect arbitrary origins with Access-Control-Allow-Credentials: true.

Consider blocking or filtering requests to the vulnerable endpoint from untrusted sources at the network or web server level.

Useful 0 Not Useful 0