Detection Guidance

To detect this vulnerability on your system, you can test whether the API endpoints `plugin/API/get.json.php` and `plugin/API/set.json.php` reflect arbitrary Origin headers with Access-Control-Allow-Credentials set to true, allowing credentialed cross-origin requests.

One approach is to send HTTP requests with a custom Origin header to these endpoints and observe the CORS headers in the response.

Example commands using curl to test the vulnerability:

• curl -i -H "Origin: http://malicious.example.com" https://TARGET/plugin/API/get.json.php?APIName=user
• curl -i -H "Origin: http://malicious.example.com" https://TARGET/plugin/API/set.json.php

If the response includes the header `Access-Control-Allow-Origin: http://malicious.example.com` along with `Access-Control-Allow-Credentials: true`, the system is vulnerable.

Additionally, monitoring network traffic for cross-origin requests with credentials to these endpoints from unexpected origins can help detect exploitation attempts.

Useful 0 Not Useful 0

Executive Summary

This vulnerability exists in WWBN AVideo versions 29.0 and below. The function allowOrigin($allowAll=true) in objects/functions.php improperly reflects any arbitrary Origin header back in the Access-Control-Allow-Origin response header along with Access-Control-Allow-Credentials: true.

This function is used by the main API endpoints plugin/API/get.json.php and plugin/API/set.json.php, which handle user data retrieval, authentication, livestream credentials, and state-changing operations.

Because the application uses a SameSite=None session cookie policy, any website can make credentialed cross-origin requests and read authenticated API responses. This enables attackers to steal user personally identifiable information (PII), livestream keys, and perform state changes on behalf of the victim.

A fix for this issue is included in commit caf705f38eae0ccfac4c3af1587781355d24495e.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have serious impacts including theft of user personally identifiable information (PII), unauthorized access to livestream keys, and the ability for attackers to perform state-changing operations on behalf of the victim.

Because any website can make credentialed cross-origin requests and read authenticated API responses, attackers can impersonate users and manipulate their data or livestream sessions without their consent.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, update WWBN AVideo to a version that includes the fix from commit caf705f38eae0ccfac4c3af1587781355d24495e or later.

This fix addresses the insecure reflection of the Origin header in Access-Control-Allow-Origin and the associated risk of credentialed cross-origin requests.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows any website to make credentialed cross-origin requests and read authenticated API responses, enabling theft of user personally identifiable information (PII), livestream keys, and performing unauthorized state changes on behalf of the victim.

Such unauthorized access and exfiltration of user PII can lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls on the confidentiality and integrity of personal data.

Therefore, exploitation of this vulnerability could result in violations of these standards due to the exposure and misuse of sensitive user information.

Useful 0 Not Useful 0