Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-33688 is a vulnerability in the WWBN AVideo platform's password recovery endpoint (`objects/userRecoverPass.php`) in versions up to and including 26.0. The issue arises because the endpoint checks if a user exists and their account status before validating the captcha. This allows an unauthenticated attacker to enumerate valid usernames and determine whether accounts are active, inactive, or banned by observing three distinct JSON error responses, all without solving any captcha."}, {'type': 'paragraph', 'content': 'Specifically, the endpoint returns different error messages for non-existent users, inactive users, and active users, which can be used as an oracle to reveal user information at scale. There is no rate limiting or brute force protection on this endpoint, making automated enumeration feasible.'}] [2]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing attackers to enumerate valid usernames and determine account statuses without authentication or captcha solving. This information disclosure can facilitate several malicious activities:

• Username Enumeration: Attackers can identify registered usernames.
• Account Status Disclosure: Attackers can distinguish active, inactive, and banned accounts.
• Credential Stuffing Facilitation: Valid usernames can be targeted in brute-force or credential stuffing attacks.
• Phishing Risk: Knowledge of valid active accounts enables targeted social engineering attacks.
• Automated Enumeration: Lack of rate limiting allows high-speed automated attacks.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by sending requests to the password recovery endpoint `objects/userRecoverPass.php` with different usernames and observing the JSON error responses without providing a captcha.'}, {'type': 'list_item', 'content': 'Query a non-existent username and observe if the response contains the error message "User not found".'}, {'type': 'list_item', 'content': 'Query a valid active username and observe if the response contains the error message "Captcha is empty", indicating the user exists and is active.'}, {'type': 'list_item', 'content': 'Query an inactive or banned username and observe if the response contains the error message "The user is not active".'}, {'type': 'paragraph', 'content': 'These distinct responses allow an attacker to enumerate valid usernames and determine account statuses without solving any captcha.'}, {'type': 'paragraph', 'content': 'Example command using curl to test a username (replace USERNAME and URL accordingly):'}, {'type': 'list_item', 'content': 'curl -X POST -d "user=USERNAME" https://your-avideo-instance.com/objects/userRecoverPass.php'}, {'type': 'paragraph', 'content': 'By automating such requests with different usernames and analyzing the JSON responses, you can detect if the vulnerability exists on your system.'}] [2]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include modifying the password recovery endpoint to validate the captcha before performing any user existence or account status checks.

• Enforce captcha validation upfront: Return an error if the captcha is missing or invalid before checking the username.
• Return a generic success message regardless of whether the user exists or their status, to prevent information disclosure.
• Implement rate limiting on the password recovery endpoint to prevent automated bulk enumeration attempts.
• Apply the patch from commit e42f54123b460fd1b2ee01f2ce3d4a386e88d157 which enforces captcha validation and improves error handling.

These steps will prevent attackers from enumerating usernames and account statuses without solving captchas and reduce the risk of automated abuse.

Useful 0 Not Useful 0