GHSA-4Q27-4RRQ-FX95

Vulnerability from github – Published: 2026-04-03 23:43 – Updated: 2026-04-06 23:43
VLAI?
Summary
AVideo: CSRF on Player Skin Configuration via admin/playerUpdate.json.php
Details

Severity: Medium CWE: CWE-352 (Cross-Site Request Forgery)

Summary

The player skin configuration endpoint at admin/playerUpdate.json.php does not validate CSRF tokens. The plugins table is explicitly excluded from the ORM's domain-based security check via ignoreTableSecurityCheck(), removing the only other layer of defense. Combined with SameSite=None cookies, a cross-origin POST can modify the video player appearance on the entire platform.

Details

In admin/playerUpdate.json.php at line 17, the player skin is set directly from POST data:

$pluginDO->skin = $_POST['skin'];

No CSRF token is validated anywhere in the endpoint. Normally, the ORM layer performs a Referer/Origin domain check as a secondary defense against cross-origin writes. However, the plugins table is registered in ignoreTableSecurityCheck(), which explicitly bypasses this ORM-level protection for plugin configuration.

AVideo's session cookies are configured with SameSite=None, meaning the admin's authenticated session cookie is automatically included in cross-origin POST requests from any website.

An attacker can craft a page that, when visited by an authenticated admin, silently changes the player skin to any value, including potentially invalid or disruptive configurations.

Proof of Concept

Host the following HTML on an attacker-controlled domain:

<!DOCTYPE html>
<html>
<head><title>CSRF Player Skin</title></head>
<body>
<h1>Loading video...</h1>
<form id="csrf" method="POST"
      action="https://your-avideo-instance.com/admin/playerUpdate.json.php">
  <input type="hidden" name="skin" value="minimalist" />
</form>
<script>
  document.getElementById("csrf").submit();
</script>
</body>
</html>

When an authenticated admin visits this page, the platform's player skin is changed without their knowledge.

Impact

  • Platform-wide player appearance modification without admin consent
  • Potential disruption of video playback if an invalid skin value is set
  • The ORM security bypass via ignoreTableSecurityCheck() means there is no fallback protection
  • Can be used as part of a broader defacement or social engineering attack

Recommended Fix

Add CSRF token validation at admin/playerUpdate.json.php, before processing POST data:

// admin/playerUpdate.json.php (before line 17)
if (!isGlobalTokenValid()) {
    die('{"error":"Invalid CSRF token"}');
}

Found by aisafe.io

Severity ?
4.3 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "wwbn/avideo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "26.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-35181"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-352"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-03T23:43:23Z",
    "nvd_published_at": "2026-04-06T20:16:26Z",
    "severity": "MODERATE"
  },
  "details": "**Severity:** Medium\n**CWE:** CWE-352 (Cross-Site Request Forgery)\n\n## Summary\n\nThe player skin configuration endpoint at `admin/playerUpdate.json.php` does not validate CSRF tokens. The `plugins` table is explicitly excluded from the ORM\u0027s domain-based security check via `ignoreTableSecurityCheck()`, removing the only other layer of defense. Combined with `SameSite=None` cookies, a cross-origin POST can modify the video player appearance on the entire platform.\n\n## Details\n\nIn `admin/playerUpdate.json.php` at line 17, the player skin is set directly from POST data:\n\n```php\n$pluginDO-\u003eskin = $_POST[\u0027skin\u0027];\n```\n\nNo CSRF token is validated anywhere in the endpoint. Normally, the ORM layer performs a Referer/Origin domain check as a secondary defense against cross-origin writes. However, the `plugins` table is registered in `ignoreTableSecurityCheck()`, which explicitly bypasses this ORM-level protection for plugin configuration.\n\nAVideo\u0027s session cookies are configured with `SameSite=None`, meaning the admin\u0027s authenticated session cookie is automatically included in cross-origin POST requests from any website.\n\nAn attacker can craft a page that, when visited by an authenticated admin, silently changes the player skin to any value, including potentially invalid or disruptive configurations.\n\n## Proof of Concept\n\nHost the following HTML on an attacker-controlled domain:\n\n```html\n\u003c!DOCTYPE html\u003e\n\u003chtml\u003e\n\u003chead\u003e\u003ctitle\u003eCSRF Player Skin\u003c/title\u003e\u003c/head\u003e\n\u003cbody\u003e\n\u003ch1\u003eLoading video...\u003c/h1\u003e\n\u003cform id=\"csrf\" method=\"POST\"\n      action=\"https://your-avideo-instance.com/admin/playerUpdate.json.php\"\u003e\n  \u003cinput type=\"hidden\" name=\"skin\" value=\"minimalist\" /\u003e\n\u003c/form\u003e\n\u003cscript\u003e\n  document.getElementById(\"csrf\").submit();\n\u003c/script\u003e\n\u003c/body\u003e\n\u003c/html\u003e\n```\n\nWhen an authenticated admin visits this page, the platform\u0027s player skin is changed without their knowledge.\n\n## Impact\n\n- Platform-wide player appearance modification without admin consent\n- Potential disruption of video playback if an invalid skin value is set\n- The ORM security bypass via `ignoreTableSecurityCheck()` means there is no fallback protection\n- Can be used as part of a broader defacement or social engineering attack\n\n## Recommended Fix\n\nAdd CSRF token validation at `admin/playerUpdate.json.php`, before processing POST data:\n\n```php\n// admin/playerUpdate.json.php (before line 17)\nif (!isGlobalTokenValid()) {\n    die(\u0027{\"error\":\"Invalid CSRF token\"}\u0027);\n}\n```\n\n---\n*Found by [aisafe.io](https://aisafe.io)*",
  "id": "GHSA-4q27-4rrq-fx95",
  "modified": "2026-04-06T23:43:19Z",
  "published": "2026-04-03T23:43:23Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-4q27-4rrq-fx95"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35181"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/WWBN/AVideo"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "AVideo: CSRF on Player Skin Configuration via admin/playerUpdate.json.php"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.