GHSA-363V-5RH8-23WG

Vulnerability from github – Published: 2026-03-26 18:16 – Updated: 2026-03-27 21:40
VLAI?
Summary
AVideo has Plaintext Video Password Storage
Details

Summary

AVideo allows content owners to password-protect individual videos. The video password is stored in the database in plaintext — no hashing, salting, or encryption is applied. If an attacker gains read access to the database (via SQL injection, a database backup, or misconfigured access controls), they obtain all video passwords in cleartext.

Details

File: objects/video.php

Vulnerable setter:

public function setVideo_password($video_password)
{
    AVideoPlugin::onVideoSetVideo_password($this->id, $this->video_password, $video_password);
    $this->video_password = trim($video_password);
}

Vulnerable getter:

public function getVideo_password()
{
    if (empty($this->video_password)) {
        return '';
    }
    return trim($this->video_password);
}

The value assigned to $this->video_password is only trim()-ed before being persisted to the database column video_password in the videos table. There is no call to any hashing function (e.g., password_hash(), sha256, or similar).

When a visitor enters a password to access a protected video, the comparison is done directly against the stored plaintext:

// Comparison at access check:
if ($video->getVideo_password() === $_POST['password']) { ... }

This means: 1. Any database read (SQL injection, backup leak, hosting panel access) exposes all video passwords as cleartext. 2. Video passwords are often reused by users across other services, making this a credential harvesting risk. 3. The plaintext value is also present in application memory and any query logs.

PoC

  1. Set a password on any video via the AVideo admin/creator UI.
  2. Query the database: SELECT clean_title, video_password FROM videos WHERE video_password != '';
  3. All video passwords are returned in plaintext — no cracking required.

Alternatively, exploit any of the SQL injection vulnerabilities already reported in this repository to extract the video_password column directly.

Impact

  • Type: Cleartext Storage of Sensitive Information (CWE-312)
  • Severity: High
  • Authentication required: No — any database read access (including via SQL injection by unauthenticated users) exposes all passwords
  • Impact: Full exposure of all video access passwords; credential reuse attacks against users who share passwords across services
  • Fix: Hash video passwords on write using password_hash($video_password, PASSWORD_BCRYPT) and verify on read using password_verify($_POST['password'], $stored_hash)
Severity ?
9.1 (Critical)
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "wwbn/avideo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "26.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33867"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-26T18:16:39Z",
    "nvd_published_at": "2026-03-27T17:16:29Z",
    "severity": "CRITICAL"
  },
  "details": "### Summary\n\nAVideo allows content owners to password-protect individual videos. The video password is stored in the database in **plaintext** \u2014 no hashing, salting, or encryption is applied. If an attacker gains read access to the database (via SQL injection, a database backup, or misconfigured access controls), they obtain all video passwords in cleartext.\n\n### Details\n\n**File:** `objects/video.php`\n\n**Vulnerable setter:**\n```php\npublic function setVideo_password($video_password)\n{\n    AVideoPlugin::onVideoSetVideo_password($this-\u003eid, $this-\u003evideo_password, $video_password);\n    $this-\u003evideo_password = trim($video_password);\n}\n```\n\n**Vulnerable getter:**\n```php\npublic function getVideo_password()\n{\n    if (empty($this-\u003evideo_password)) {\n        return \u0027\u0027;\n    }\n    return trim($this-\u003evideo_password);\n}\n```\n\nThe value assigned to `$this-\u003evideo_password` is only `trim()`-ed before being persisted to the database column `video_password` in the `videos` table. There is no call to any hashing function (e.g., `password_hash()`, `sha256`, or similar).\n\nWhen a visitor enters a password to access a protected video, the comparison is done directly against the stored plaintext:\n```php\n// Comparison at access check:\nif ($video-\u003egetVideo_password() === $_POST[\u0027password\u0027]) { ... }\n```\n\nThis means:\n1. Any database read (SQL injection, backup leak, hosting panel access) exposes all video passwords as cleartext.\n2. Video passwords are often reused by users across other services, making this a credential harvesting risk.\n3. The plaintext value is also present in application memory and any query logs.\n\n### PoC\n\n1. Set a password on any video via the AVideo admin/creator UI.\n2. Query the database: `SELECT clean_title, video_password FROM videos WHERE video_password != \u0027\u0027;`\n3. All video passwords are returned in plaintext \u2014 no cracking required.\n\nAlternatively, exploit any of the SQL injection vulnerabilities already reported in this repository to extract the `video_password` column directly.\n\n### Impact\n\n- **Type:** Cleartext Storage of Sensitive Information (CWE-312)\n- **Severity:** High\n- **Authentication required:** No \u2014 any database read access (including via SQL injection by unauthenticated users) exposes all passwords\n- **Impact:** Full exposure of all video access passwords; credential reuse attacks against users who share passwords across services\n- **Fix:** Hash video passwords on write using `password_hash($video_password, PASSWORD_BCRYPT)` and verify on read using `password_verify($_POST[\u0027password\u0027], $stored_hash)`",
  "id": "GHSA-363v-5rh8-23wg",
  "modified": "2026-03-27T21:40:51Z",
  "published": "2026-03-26T18:16:39Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-363v-5rh8-23wg"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33867"
    },
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/commit/f2d68d2adbf73588ea61be2b781d93120a819e36"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/WWBN/AVideo"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "AVideo has Plaintext Video Password Storage"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.