Compliance Impact

This vulnerability allows unauthenticated attackers to access private playlists, including watch history and favorite videos, exposing sensitive video metadata and user information without authorization.

Such unauthorized disclosure of personal viewing habits and content preferences constitutes a privacy violation, which can negatively impact compliance with data protection regulations like GDPR and HIPAA that require safeguarding personal and sensitive user data.

By failing to enforce authorization checks, the platform risks exposing personally identifiable information (PII) and user behavior data, potentially leading to regulatory non-compliance and associated legal or financial consequences.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-33759 is an unauthenticated Insecure Direct Object Reference (IDOR) vulnerability in the WWBN AVideo platform. The vulnerability exists in the endpoint `objects/playlistsVideos.json.php`, which returns the full video contents of any playlist by its sequential integer playlist ID without performing any authentication or authorization checks.

While private playlists such as 'watch_later' and 'favorite' are hidden from user-facing listing endpoints, their contents can still be accessed directly by providing the playlist ID to this vulnerable endpoint. This allows an attacker to enumerate playlist IDs and retrieve private video contents and metadata without logging in.

The root cause is missing authorization checks before returning playlist contents, classified as CWE-862: Missing Authorization.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an unauthenticated attacker to access all users' private playlist contents, including watch history and favorite videos.

Sensitive video metadata and user information such as titles, filenames, URLs, user details, comments, and subscriber counts are exposed.

This leads to a privacy violation by revealing user viewing habits and content preferences without any user interaction or privileges required.

The vulnerability has a moderate severity with a CVSS v3.1 base score of 5.3, indicating it is exploitable over the network with low complexity and no authentication.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by attempting to access the endpoint `objects/playlistsVideos.json.php` with different sequential integer values for the `playlists_id` parameter without authentication. If the endpoint returns playlist contents, including private playlists such as 'watch_later' or 'favorite', it indicates the system is vulnerable.

A simple detection method is to send HTTP GET requests incrementing the `playlists_id` parameter and observe if playlist data is returned without authentication.

• Use curl or similar tools to test access, for example:
• curl -i "http://<target>/objects/playlistsVideos.json.php?playlists_id=1"
• curl -i "http://<target>/objects/playlistsVideos.json.php?playlists_id=2"
• Increment the `playlists_id` value to enumerate playlists and check if private playlist contents are accessible.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability immediately, implement authorization checks on the `objects/playlistsVideos.json.php` endpoint before returning playlist contents.

Specifically:

• Validate the `playlists_id` parameter and load the corresponding playlist.
• Check if the playlist is public or unlisted; if not, verify that the requester is authenticated and is either the owner of the playlist or an administrator.
• If the authorization check fails, respond with HTTP 403 Forbidden and an appropriate error message.
• Only allow access to playlist contents if the authorization check passes.

Applying the patch from commit bb716fbece656c9fe39784f11e4e822b5867f1ca is recommended, as it corrects permission handling and enforces these authorization checks.

Useful 0 Not Useful 0