Executive Summary

This vulnerability affects WWBN AVideo versions 29.0 and prior. It involves three admin-only JSON endpoints that perform state-changing actions on the database but do not enforce CSRF token validation. Specifically, these endpoints check only the user's role but omit important security checks like isGlobalTokenValid() or forbidIfIsUntrustedRequest(). As a result, an attacker can trick a logged-in admin into visiting a malicious page, which then allows the attacker to create, update, or delete categories and execute plugin update scripts within the admin's session.

Useful 0 Not Useful 0

Impact Analysis

The vulnerability can lead to unauthorized changes in the system by an attacker leveraging an admin's session. This includes creating, updating, or deleting categories and forcing execution of plugin update scripts. Such actions can compromise the integrity of the platform, potentially leading to unauthorized modifications, disruption of service, or execution of malicious code within the context of the admin user.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, update WWBN AVideo to a version that includes the fix from commit ee5615153c40628ab3ec6fe04962d1f92e67d3e2.

The vulnerability exists because certain admin-only JSON endpoints do not enforce CSRF token validation, allowing attackers to perform state-changing actions if an admin is tricked into visiting a malicious page.

Applying the fix ensures that these endpoints properly validate CSRF tokens, preventing unauthorized actions.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows an attacker to perform unauthorized state-changing actions in the admin's session by exploiting missing CSRF token checks on certain admin-only JSON endpoints. This could lead to unauthorized modification or deletion of categories and forced execution of plugin update scripts.

While the CVE description does not explicitly mention compliance with standards such as GDPR or HIPAA, the ability for an attacker to manipulate administrative functions without proper authorization could potentially lead to violations of data integrity and security requirements mandated by these regulations.

Therefore, this vulnerability may negatively impact compliance with common security standards and regulations that require strict access controls and protection against unauthorized actions.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves missing CSRF token and origin validation on three admin-only JSON endpoints in the AVideo platform: `objects/categoryAddNew.json.php`, `objects/categoryDelete.json.php`, and `objects/pluginRunUpdateScript.json.php`. Detection can focus on monitoring or testing these endpoints for unauthorized state-changing requests without proper CSRF tokens.

To detect exploitation attempts or verify if your system is vulnerable, you can attempt to send POST requests to these endpoints without CSRF tokens and observe if the requests succeed or fail.

Example commands using curl to test these endpoints (replace URL and authentication cookies as appropriate):

• Test category creation or overwrite: curl -X POST -b 'admin_session_cookie' -d 'id=0&name=TestCategory' https://your-avideo-site/objects/categoryAddNew.json.php
• Test category deletion: curl -X POST -b 'admin_session_cookie' -d 'id=123' https://your-avideo-site/objects/categoryDelete.json.php
• Test plugin update script execution: curl -X POST -b 'admin_session_cookie' -d 'name=pluginName' https://your-avideo-site/objects/pluginRunUpdateScript.json.php

If these requests succeed without requiring a valid CSRF token or origin validation, your system is vulnerable.

Additionally, monitoring web server logs for unexpected POST requests to these endpoints from admin sessions or unusual plugin update executions can help detect exploitation attempts.

Useful 0 Not Useful 0