Executive Summary

This vulnerability affects WWBN AVideo, an open source video platform, in versions up to and including 29.0. It involves two unauthenticated paths in the objects/users.json.php file that expose the full set of registered user accounts. One path uses the isCompany request parameter to bypass the admin-only check by setting $ignoreAdmin to true for any non-admin caller, including unauthenticated visitors. This defeats the intended restriction inside User::getAllUsers() and User::getTotalUsers(). The second path accepts a users_id parameter and calls User::getUserFromID() without any permission check, allowing access to individual user information. Both paths return sensitive user details such as id, display name, channel URL, photo, background, status, and the total account count.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability exposes the full set of registered user accounts, including user IDs, display names, channel URLs, photos, backgrounds, and statuses, to unauthenticated visitors. Such unauthorized disclosure of personal data could potentially violate data protection regulations like GDPR and HIPAA, which require safeguarding personal information and restricting access to authorized personnel only.

However, the provided information does not explicitly mention compliance impacts or regulatory assessments related to this vulnerability.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves unauthenticated access to specific paths in the WWBN AVideo platform that disclose user account information. To detect it on your network or system, you can attempt to access the following endpoints without authentication:

• Access the path objects/users.json.php with the parameter isCompany set, e.g., objects/users.json.php?isCompany=1, to check if it returns the full set of registered user accounts.
• Access the path objects/users.json.php with the parameter users_id set to a user ID, e.g., objects/users.json.php?users_id=1, to see if it returns information about a single user without permission checks.

You can use command-line tools like curl to test these endpoints, for example:

• curl -v http://your-avideo-domain/objects/users.json.php?isCompany=1
• curl -v http://your-avideo-domain/objects/users.json.php?users_id=1

If these commands return user data such as id, identification, channel URL, photo, background, or status without authentication, your system is vulnerable.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability immediately, you should upgrade WWBN AVideo to a version that includes the fix referenced by commit d9cdc702481a626b15f814f6093f1e2a9c20d375.

If upgrading is not immediately possible, consider restricting access to the vulnerable endpoints (objects/users.json.php) via network controls such as firewall rules or web server configuration to require authentication or block unauthenticated requests.

Additionally, monitor access logs for suspicious requests to these endpoints and review user data exposure.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized disclosure of user information to unauthenticated attackers. An attacker can retrieve the full list of registered users along with their personal details such as display names, profile photos, and channel URLs. Additionally, they can query individual user information without any permission checks. This exposure can facilitate further attacks such as social engineering, phishing, or targeted attacks against users of the platform.

Useful 0 Not Useful 0