CVE-2026-34247
Received Received - Intake
Insecure Direct Object Reference in WWBN AVideo Live Poster Upload

Publication date: 2026-03-27

Last updated on: 2026-03-31

Assigner: GitHub, Inc.

Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `plugin/Live/uploadPoster.php` endpoint allows any authenticated user to overwrite the poster image for any scheduled live stream by supplying an arbitrary `live_schedule_id`. The endpoint only checks `User::isLogged()` but never verifies that the authenticated user owns the targeted schedule. After overwriting the poster, the endpoint broadcasts a `socketLiveOFFCallback` notification containing the victim's broadcast key and user ID to all connected WebSocket clients. Commit 5fcb3bdf59f26d65e203cfbc8a685356ba300b60 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-27
Last Modified
2026-03-31
Generated
2026-05-07
AI Q&A
2026-03-27
EPSS Evaluated
2026-05-05
NVD
CVE-2026-34247
EUVD
EUVD-2026-16717
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wwbn avideo to 26.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-34247 is an Insecure Direct Object Reference (IDOR) vulnerability in the WWBN AVideo platform, specifically in the endpoint `plugin/Live/uploadPoster.php`. This endpoint allows any authenticated user to overwrite the poster image of any scheduled live stream by supplying an arbitrary `live_schedule_id` without verifying that the user owns the targeted live schedule.

The vulnerability exists because the endpoint only checks if the user is logged in but does not check if the user is authorized to modify the specific live schedule. After overwriting the poster, the endpoint broadcasts a notification containing the victim's broadcast key and user ID to all connected WebSocket clients, leaking sensitive information.

Attackers can enumerate schedule IDs easily because they are sequential integers, making it trivial to target any scheduled live stream.


How can this vulnerability impact me? :

This vulnerability can impact you in several ways:

  • Unauthorized users can overwrite poster images of scheduled live streams, enabling content tampering such as defacement or phishing.
  • Viewers may receive false offline notifications due to the broadcast of a 'socketLiveOFFCallback' message, disrupting the victim's audience.
  • Sensitive information such as broadcast keys and user IDs are leaked to all connected WebSocket clients, leading to information disclosure.
  • Attackers can enumerate and target all scheduled streams due to predictable schedule IDs, increasing the attack surface.

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by monitoring requests to the endpoint `plugin/Live/uploadPoster.php` for unauthorized attempts to overwrite live stream posters using arbitrary `live_schedule_id` values.

A proof of concept involves sending a POST request to this endpoint with a chosen `live_schedule_id` and a malicious image file to see if the poster is overwritten without authorization errors.

To detect exploitation attempts on your system, you can use network monitoring or web server logs to identify POST requests to `plugin/Live/uploadPoster.php` with varying `live_schedule_id` parameters.

  • Use tools like curl to test the endpoint manually: curl -X POST -F "live_schedule_id=<id>" -F "[email protected]" https://your-avideo-domain/plugin/Live/uploadPoster.php -b cookies.txt
  • Check web server access logs for suspicious POST requests to `plugin/Live/uploadPoster.php` with different `live_schedule_id` values.
  • Monitor WebSocket traffic for unexpected `socketLiveOFFCallback` notifications that include broadcast keys and user IDs, which may indicate exploitation.

What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation step is to apply the patch that adds proper authorization checks in the `plugin/Live/uploadPoster.php` endpoint.

Specifically, after verifying that the user is logged in, the system should verify that the authenticated user either owns the targeted live schedule or is an administrator before allowing the poster to be overwritten.

If you cannot immediately patch, consider restricting access to the vulnerable endpoint to trusted users only or disabling it temporarily.

  • Apply the fix from commit 5fcb3bdf59f26d65e203cfbc8a685356ba300b60 which adds ownership and admin checks.
  • Monitor and audit usage of the `plugin/Live/uploadPoster.php` endpoint for suspicious activity.

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The vulnerability allows unauthorized disclosure of sensitive information such as broadcast keys and user IDs to all connected WebSocket clients. This information disclosure could potentially violate data protection principles found in regulations like GDPR and HIPAA, which require safeguarding personal and sensitive data against unauthorized access.

Additionally, the ability for attackers to tamper with scheduled live stream posters and send false notifications could lead to misinformation and phishing risks, which may indirectly impact compliance with standards that mandate integrity and security of user data and communications.

However, the CVE description and resources do not explicitly mention compliance with any specific standards or regulations.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart