CVE-2026-43875
OAuth Login Credential Exposure in WWBN AVideo
Publication date: 2026-05-11
Last updated on: 2026-05-11
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wwbn | avideo | to 29.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-598 | The web application uses the HTTP GET method to process a request and includes sensitive information in the query string of that request. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability exposes stored password hashes in URLs during OAuth login redirects, which can be captured through server logs, referrer leakage, or browser history. Such exposure can lead to full account takeover, including administrative accounts.
The leakage of sensitive authentication credentials likely violates data protection and privacy requirements found in common standards and regulations such as GDPR and HIPAA, which mandate the protection of personal and sensitive information against unauthorized access.
Therefore, this vulnerability could result in non-compliance with these regulations due to inadequate protection of user credentials and potential unauthorized access to personal data.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating WWBN AVideo to a version that contains the fix (commit 977cd6930a97571a26da4239e25c8096dd4ecbc1 or later).
Until the update can be applied, avoid exposing sensitive information in URLs, especially password hashes, and restrict access to the vulnerable OAuth login endpoint.
Additionally, monitor and audit server logs and network traffic for signs of exploitation and consider resetting passwords for affected accounts.
Can you explain this vulnerability to me?
This vulnerability exists in WWBN AVideo, an open source video platform, in versions up to and including 29.0. The issue occurs in the plugin/MobileManager/oauth2.php file, which completes an OAuth login by sending an HTTP 302 redirect containing the victim's stored password hash in the URL parameters. This hash is derived from the user's password using a combination of md5, whirlpool, and sha1 hashing algorithms.
Because the login endpoint accepts a flag that bypasses hashing and compares the supplied value directly to the stored hash, anyone who captures the redirect URL (through server logs, referrer leakage, or browser history) can obtain a credential equivalent to the plaintext password. This allows full account takeover, including admin accounts.
How can this vulnerability impact me? :
The vulnerability allows an attacker who captures the redirect URL containing the password hash to fully take over the victim's account without needing the plaintext password.
- Account takeover including administrative accounts.
- Potential unauthorized access to sensitive user data and platform controls.
- Compromise of user privacy and platform security.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring network traffic and server logs for HTTP 302 redirects from the plugin/MobileManager/oauth2.php endpoint that include URLs containing the parameter oauth2Success.php with user and pass query parameters. The pass parameter contains the victim's stored password hash, which should not be exposed.
Commands to detect this might include using network traffic analysis tools such as tcpdump or Wireshark to filter HTTP 302 responses containing 'oauth2Success.php' and 'pass=' in the URL.
- tcpdump -i <interface> -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'Location: oauth2Success.php'
- grep -r 'oauth2Success.php' /var/log/apache2/access.log
- Use web server logs to search for URLs containing 'oauth2Success.php?user=' and 'pass=' parameters.