Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-33297 is a vulnerability in the WWBN AVideo platform affecting the CustomizeUser plugin's setPassword.json.php endpoint. This endpoint allows administrators to set a channel password for any user. Due to a logic error, when an administrator sets a password containing any non-numeric characters, the password is silently converted to the integer zero before being stored."}, {'type': 'paragraph', 'content': 'This happens because the submitted password value is processed using PHP\'s intval() function, which converts non-numeric strings to 0. As a result, regardless of the intended password, the stored channel password becomes "0".'}, {'type': 'paragraph', 'content': 'This means that any visitor can easily guess the password "0" and bypass channel-level access control, defeating the purpose of password protection.'}] [2]

Useful 0 Not Useful 0

Impact Analysis

[{'type': 'paragraph', 'content': 'The vulnerability allows unauthorized users to bypass channel-level access control by simply entering "0" as the password, gaining access to protected channels.'}, {'type': 'list_item', 'content': 'Administrators who set non-numeric passwords unknowingly weaken the password to "0" without any warning.'}, {'type': 'list_item', 'content': 'Channel password protection becomes ineffective, compromising the confidentiality of channel content.'}, {'type': 'list_item', 'content': 'The vulnerability does not allow account takeover or privilege escalation, but it does expose channel content to unauthorized viewers.'}] [2]

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if any channel passwords have been set to the value "0", which indicates that a non-numeric password was silently coerced to zero due to the logic error.'}, {'type': 'paragraph', 'content': "Since the vulnerability involves the CustomizeUser plugin's setPassword.json.php endpoint, you can monitor or audit requests to this endpoint to identify if administrators have attempted to set passwords containing non-numeric characters."}, {'type': 'paragraph', 'content': 'Suggested commands include querying the database or system for channel passwords equal to "0" to identify affected users.'}, {'type': 'list_item', 'content': "Example SQL query to find affected channel passwords: SELECT users_id, channel_password FROM channels WHERE channel_password = '0';"}, {'type': 'list_item', 'content': 'Monitor web server logs for POST requests to the CustomizeUser/setPassword.json.php endpoint where the ProfilePassword parameter contains non-numeric characters.'}, {'type': 'list_item', 'content': 'Use curl or similar tools to test the endpoint by attempting to set a non-numeric password and verifying if it is stored as "0".'}] [2]

Useful 0 Not Useful 0

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The immediate mitigation step is to upgrade WWBN AVideo to version 26.0 or later, where the vulnerability has been patched by changing the password handling from intval() to strval(), ensuring passwords are stored correctly as strings.'}, {'type': 'paragraph', 'content': 'If upgrading immediately is not possible, administrators should avoid setting channel passwords containing non-numeric characters, as these will be coerced to zero and weaken security.'}, {'type': 'paragraph', 'content': 'Additionally, review and reset any channel passwords currently set to "0" to strong, properly stored passwords after applying the patch.'}, {'type': 'paragraph', 'content': 'Monitor administrative actions on the setPassword.json.php endpoint to ensure passwords are being set correctly.'}] [1, 2]

Useful 0 Not Useful 0