Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-33719 is a vulnerability in the WWBN AVideo platform's CDN plugin (versions up to 26.0) where the plugin uses key-based authentication with a default empty string key. When the CDN plugin is enabled but the key is not configured (left as the default empty string), the authentication check is completely bypassed."}, {'type': 'paragraph', 'content': "This allows any unauthenticated attacker to modify the entire CDN configuration by sending specially crafted requests to the plugin's endpoints (`plugin/CDN/status.json.php` and `plugin/CDN/disable.json.php`). The attacker can change CDN URLs, storage credentials, and even the authentication key itself through mass-assignment of parameters."}, {'type': 'paragraph', 'content': 'The vulnerability arises because the code skips key validation if the stored key is empty, allowing any non-empty key value to pass authentication. This leads to unauthorized access and control over the CDN plugin configuration.'}] [2]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts including:

• Complete takeover of the CDN configuration without authentication.
• Redirecting all media delivery to attacker-controlled servers, enabling content injection or phishing attacks.
• Exfiltration of uploaded videos by redirecting storage to attacker-controlled hosts.
• Hijacking storage credentials such as usernames and passwords.
• Locking out legitimate administrators by changing the authentication key.
• Causing denial of service by disabling the CDN plugin entirely.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if the CDN plugin endpoints `plugin/CDN/status.json.php` and `plugin/CDN/disable.json.php` are accessible without proper authentication, specifically if the CDN key is left as the default empty string. An effective detection method is to send HTTP requests to these endpoints with arbitrary or empty key parameters and observe if the requests succeed in modifying or disabling the CDN configuration.'}, {'type': 'paragraph', 'content': 'Suggested commands to test for the vulnerability include using curl to send requests with arbitrary keys and parameters to see if unauthorized changes are accepted:'}, {'type': 'list_item', 'content': "Check if the status endpoint accepts requests without a valid key and allows configuration changes: curl -X POST 'http://<target>/plugin/CDN/status.json.php' -d 'key=anyvalue&par[CDN]=http://attacker.com'"}, {'type': 'list_item', 'content': "Check if the disable endpoint can be triggered without authentication: curl -X POST 'http://<target>/plugin/CDN/disable.json.php' -d 'key=anyvalue'"}, {'type': 'paragraph', 'content': 'If these requests succeed in modifying or disabling the CDN plugin, the system is vulnerable.'}] [2]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include:

• Ensure that the CDN plugin key is configured to a strong, non-empty secret value immediately after enabling the plugin to prevent authentication bypass.
• Apply the patch from commit adeff0a31ba04a56f411eef256139fd7ed7d4310 which enforces strict key validation using constant-time comparison and restricts parameter updates to safe fields.
• Restrict access to the CDN plugin endpoints to trusted administrators or internal networks until the patch and key configuration are applied.
• Monitor logs and network traffic for unauthorized requests to the vulnerable endpoints.

Useful 0 Not Useful 0