Executive Summary

CVE-2026-33763 is a vulnerability in the WWBN AVideo platform (versions up to 26.0) where the API endpoint `get_api_video_password_is_correct` allows any unauthenticated user to check if a given password is correct for any password-protected video.

This endpoint returns a boolean field `passwordIsCorrect` without any rate limiting, CAPTCHA, or authentication, enabling attackers to perform efficient brute-force attacks at offline speeds.

The vulnerability arises because video passwords are stored in plaintext and compared using loose equality, and the endpoint does not restrict the number of password attempts.

Useful 0 Not Useful 0

Impact Analysis

An attacker can brute-force the password of any password-protected video without authentication, potentially gaining unauthorized access.

• Bypassing access control to private, sensitive, or commercial video content.
• Exploiting the lack of rate limiting to attempt thousands of password guesses per second.
• Compromising confidentiality of video content due to weak password protection and plaintext storage.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring API requests to the `get_api_video_password_is_correct` endpoint on the WWBN AVideo platform. Since the endpoint allows unauthenticated access and returns a boolean indicating password correctness without rate limiting, unusual or high-frequency requests to this endpoint may indicate exploitation attempts.

To detect potential brute-force attempts, you can analyze web server logs or network traffic for repeated calls to this endpoint with varying `video_password` parameters.

Example commands to detect such activity might include:

• Using grep on web server logs to find calls to the vulnerable API endpoint: `grep 'get_api_video_password_is_correct' /var/log/apache2/access.log`
• Counting the number of requests per IP to identify suspicious high-frequency access: `grep 'get_api_video_password_is_correct' /var/log/apache2/access.log | awk '{print $1}' | sort | uniq -c | sort -nr`
• Using network monitoring tools like tcpdump or Wireshark to filter HTTP GET requests to the endpoint URL.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include implementing rate limiting on the `get_api_video_password_is_correct` API endpoint to prevent brute-force password guessing.

Specifically, applying a limit such as 10 attempts per 5 minutes per IP address can significantly reduce the risk of automated password guessing attacks.

Additionally, consider the following:

• Apply the patch from commit 01a0614fedcdaee47832c0d913a0fb86d8c28135 which adds rate limiting to this and other sensitive API endpoints.
• Plan to store video passwords securely using hashing functions like `password_hash()` and verify them with `password_verify()` instead of storing plaintext passwords.
• If immediate code changes are not possible, monitor and block IPs exhibiting suspicious behavior targeting this endpoint.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows unauthenticated users to brute-force passwords for any password-protected video without rate limiting or CAPTCHA, potentially exposing sensitive or private video content.

This exposure of protected content could lead to unauthorized access to personal or confidential information, which may violate data protection regulations such as GDPR or HIPAA that require appropriate access controls and protection of sensitive data.

The lack of rate limiting and plaintext password storage further weakens security controls, increasing the risk of data breaches and non-compliance with standards mandating strong authentication and protection mechanisms.

Useful 0 Not Useful 0