CVE-2026-40925
Cross-Site Request Forgery in WWBN AVideo Admin Config Update
Publication date: 2026-04-21
Last updated on: 2026-04-24
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wwbn | avideo | to 29.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an attacker to perform unauthorized changes to critical site settings such as encoder URL, SMTP credentials, site HTML, logo, favicon, and contact email by exploiting insufficient request validation and cross-origin POST requests. Such unauthorized modifications can lead to data integrity and confidentiality issues.
Because the vulnerability enables an attacker to alter SMTP credentials and other site configurations, it may result in unauthorized access to sensitive data or disruption of services, potentially violating data protection requirements under regulations like GDPR and HIPAA.
However, the provided information does not explicitly detail the direct impact on compliance with these standards.
Can you explain this vulnerability to me?
This vulnerability exists in WWBN AVideo versions 29.0 and prior, specifically in the endpoint that updates global site settings via the file objects/configurationUpdate.json.php (also accessible through /updateConfig). The endpoint accepts numerous global site settings from POST requests but only protects itself by checking if the user is an administrator using User::isAdmin().
However, it lacks additional security measures such as forbidding untrusted requests, verifying a global token, or validating the Origin or Referer headers. Because the platform sets session.cookie_samesite=None to allow cross-origin iframe embedding, a logged-in administrator who visits a malicious website can have their browser automatically submit a cross-origin POST request. This request can overwrite critical site settings like the encoder URL, SMTP credentials, site HTML head content, logo, favicon, contact email, and more in a single action.
How can this vulnerability impact me? :
The vulnerability allows an attacker to perform unauthorized changes to the global configuration of the AVideo platform by exploiting a logged-in administrator's session. This can lead to:
- Modification of the encoder URL, potentially redirecting video processing to malicious or compromised servers.
- Alteration of SMTP credentials, which could enable attackers to send emails from the site, possibly for phishing or spam.
- Changing site branding elements such as the logo and favicon, which can be used for defacement or social engineering.
- Updating the siteβs <head> HTML content, which could be used to inject malicious scripts or tracking.
- Changing the contact email, potentially intercepting communications.
Overall, this can compromise the integrity, confidentiality, and availability of the platform, leading to potential data breaches, loss of trust, and operational disruption.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should update WWBN AVideo to a version that includes the fix, specifically after commit f9492f5e6123dff0292d5bb3164fde7665dc36b4.
Additionally, ensure that the endpoint /updateConfig (objects/configurationUpdate.json.php) properly validates requests by calling forbidIfIsUntrustedRequest(), verifying a globalToken, and validating the Origin/Referer headers to prevent unauthorized cross-origin POST requests.
As a temporary measure, restrict access to the updateConfig endpoint to trusted administrators only and consider adjusting session cookie settings to prevent cross-origin requests if feasible.