GHSA-2VG4-RRX4-QCPQ

Vulnerability from github – Published: 2026-04-04 06:16 – Updated: 2026-04-07 14:20
VLAI?
Summary
AVideo: Unauthenticated FFmpeg Remote Server Status Disclosure via check.ffmpeg.json.php
Details

Summary

The plugin/API/check.ffmpeg.json.php endpoint probes the FFmpeg remote server configuration and returns connectivity status without any authentication. All sibling FFmpeg management endpoints (kill.ffmpeg.json.php, list.ffmpeg.json.php, ffmpeg.php) require User::isAdmin().

Details

The entire file at plugin/API/check.ffmpeg.json.php:

<?php
$configFile = __DIR__.'/../../videos/configuration.php';
require_once $configFile;
header('Content-Type: application/json');

$obj = testFFMPEGRemote();

die(json_encode($obj));

No User::isAdmin(), User::isLogged(), or any access control check exists.

Compare with sibling endpoints in the same directory: - kill.ffmpeg.json.php checks User::isAdmin() - list.ffmpeg.json.php checks User::isAdmin()

Proof of Concept

curl "https://your-avideo-instance.com/plugin/API/check.ffmpeg.json.php"

Returns information about whether the platform uses a standalone FFmpeg server and its current reachability.

Impact

Infrastructure reconnaissance revealing the encoding architecture. Limited direct impact but aids targeted attack planning.

Recommended Fix

Add an admin authentication check at plugin/API/check.ffmpeg.json.php:3, after require_once $configFile;:

if (!User::isAdmin()) {
    forbiddenPage('Admin only');
}

Found by aisafe.io

Severity ?
5.3 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "wwbn/avideo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "26.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-35450"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-306"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-04T06:16:49Z",
    "nvd_published_at": "2026-04-06T22:16:23Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nThe `plugin/API/check.ffmpeg.json.php` endpoint probes the FFmpeg remote server configuration and returns connectivity status without any authentication. All sibling FFmpeg management endpoints (`kill.ffmpeg.json.php`, `list.ffmpeg.json.php`, `ffmpeg.php`) require `User::isAdmin()`.\n\n## Details\n\nThe entire file at `plugin/API/check.ffmpeg.json.php`:\n\n```php\n\u003c?php\n$configFile = __DIR__.\u0027/../../videos/configuration.php\u0027;\nrequire_once $configFile;\nheader(\u0027Content-Type: application/json\u0027);\n\n$obj = testFFMPEGRemote();\n\ndie(json_encode($obj));\n```\n\nNo `User::isAdmin()`, `User::isLogged()`, or any access control check exists.\n\nCompare with sibling endpoints in the same directory:\n- `kill.ffmpeg.json.php` checks `User::isAdmin()`\n- `list.ffmpeg.json.php` checks `User::isAdmin()`\n\n## Proof of Concept\n\n```bash\ncurl \"https://your-avideo-instance.com/plugin/API/check.ffmpeg.json.php\"\n```\n\nReturns information about whether the platform uses a standalone FFmpeg server and its current reachability.\n\n## Impact\n\nInfrastructure reconnaissance revealing the encoding architecture. Limited direct impact but aids targeted attack planning.\n\n## Recommended Fix\n\nAdd an admin authentication check at `plugin/API/check.ffmpeg.json.php:3`, after `require_once $configFile;`:\n\n```php\nif (!User::isAdmin()) {\n    forbiddenPage(\u0027Admin only\u0027);\n}\n```\n\n---\n*Found by [aisafe.io](https://aisafe.io)*",
  "id": "GHSA-2vg4-rrx4-qcpq",
  "modified": "2026-04-07T14:20:51Z",
  "published": "2026-04-04T06:16:49Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-2vg4-rrx4-qcpq"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35450"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/WWBN/AVideo"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "AVideo: Unauthenticated FFmpeg Remote Server Status Disclosure via check.ffmpeg.json.php"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.