Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-33479 is a high-severity vulnerability in the Gallery plugin of the WWBN AVideo platform. The vulnerability exists because the saveSort.json.php endpoint takes unsanitized user input from the 'sections' array and passes it directly into PHP's eval() function. Although this endpoint is restricted to admin users, it lacks Cross-Site Request Forgery (CSRF) protection. Because the session cookies are configured with SameSite=None, an attacker can exploit this by tricking an authenticated admin into visiting a malicious page that submits a crafted request, leading to remote code execution on the server."}, {'type': 'paragraph', 'content': 'In essence, the vulnerability allows an attacker to execute arbitrary PHP code on the server without authentication, by exploiting the combination of missing CSRF tokens, unsafe use of eval(), and the session cookie configuration.'}] [2]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts including remote code execution (RCE) on the server hosting the AVideo platform. An attacker can gain full control over the server, potentially accessing the file system, databases, and installing backdoors.

• Full server compromise
• Unauthorized access to sensitive data
• Ability to execute arbitrary commands on the server
• Potential lateral movement within the network
• Stealthy attacks requiring only that an admin visits a malicious page

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'Detection of this vulnerability involves checking for the presence of the vulnerable endpoint and monitoring for suspicious POST requests to it.'}, {'type': 'list_item', 'content': 'Look for POST requests to the endpoint `saveSort.json.php` within the Gallery plugin directory.'}, {'type': 'list_item', 'content': 'Check if the requests contain the `sections` parameter with unusual or suspicious values that could be PHP code injection attempts.'}, {'type': 'list_item', 'content': 'Monitor web server logs for POST requests to `plugin/Gallery/view/saveSort.json.php` that do not include a valid CSRF token or that return HTTP 403 errors indicating missing or invalid CSRF tokens (if patched).'}, {'type': 'list_item', 'content': "Use commands like `grep 'saveSort.json.php' /var/log/apache2/access.log` or equivalent for your web server logs to find relevant requests."}, {'type': 'list_item', 'content': 'Inspect POST data for suspicious payloads in the `sections` parameter, such as code snippets or base64-encoded commands.'}, {'type': 'list_item', 'content': 'If possible, use intrusion detection systems or web application firewalls to alert on POST requests to this endpoint with unexpected input patterns.'}] [2, 1]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include applying the official patch and implementing protective configurations to prevent exploitation.

• Apply the patch from commit 087dab8841f8bdb54be184105ef19b47c5698fcb which adds CSRF token validation and input sanitization to the vulnerable endpoint.
• Ensure that the `saveSort.json.php` endpoint requires a valid CSRF token (`globalToken`) in POST requests; requests without a valid token should be rejected with HTTP 403.
• Validate and sanitize all input parameters, especially the `sections` array, allowing only alphanumeric characters and underscores.
• Replace any use of PHP `eval()` with safe dynamic property access to prevent code injection.
• If patching is not immediately possible, consider changing the session cookie `SameSite` attribute from `null` to `Lax` to reduce CSRF risk.
• Limit admin user exposure by educating them not to visit untrusted or suspicious web pages that could trigger CSRF attacks.

Useful 0 Not Useful 0