GHSA-6547-8HRG-C55M

Vulnerability from github – Published: 2026-03-19 17:25 – Updated: 2026-03-25 18:48
VLAI
Summary
AVideo: IDOR - Any Admin Can Set Another User's Channel Password via setPassword.json.php
Details

Summary

The setPassword.json.php endpoint in the CustomizeUser plugin allows administrators to set a channel password for any user. Due to a logic error in how the submitted password value is processed, any password containing non-numeric characters is silently coerced to the integer zero before being stored. This means that regardless of the intended password, the stored channel password becomes 0, which any visitor can trivially guess to bypass channel-level access control.

Details

The endpoint correctly restricts access to administrators only, but the password value submitted via the ProfilePassword request parameter is processed with intval() before being passed to User::setProfilePassword(). The relevant code is:

$obj->ProfilePassword = intval(@$_REQUEST['ProfilePassword']);
$obj->users_id = $users_id;
$obj->response = User::setProfilePassword($users_id, $obj->ProfilePassword);

The call to intval() on an alphanumeric string such as secretabc123 returns 0. This silently discards the intended password value and stores 0 as the channel password instead. Because the coercion is silent, the administrator receives no error or warning and has no indication that the password they set was not stored correctly. Any visitor to the channel who enters 0 as the password will be granted access, completely defeating the channel password protection feature.

This is not a case where a malicious admin deliberately sets a weak password. The vulnerability causes well-intentioned admins to unknowingly install a trivially guessable password on any channel for which they attempt to configure a non-numeric password.

PoC

curl -s -X POST "https://target.example.com/plugin/CustomizeUser/setPassword.json.php" \
  -b "PHPSESSID=<admin_session_cookie>" \
  -d "users_id=42&ProfilePassword=secretPassword123"

curl -s -X POST "https://target.example.com/channel_password_check_endpoint" \
  -d "users_id=42&password=0"

import requests

base_url = "https://target.example.com"
session = requests.Session()

session.post(f"{base_url}/login", data={"user": "admin", "pass": "adminpass"})

session.post(
    f"{base_url}/plugin/CustomizeUser/setPassword.json.php",
    data={"users_id": "42", "ProfilePassword": "mySuperSecretPassword"}
)

resp = session.post(
    f"{base_url}/plugin/CustomizeUser/setPassword.json.php",
    data={"users_id": "42", "ProfilePassword": "0"}
)

print(resp.text)

Impact

Any administrator who sets a channel password using a non-numeric string unknowingly reduces that password to 0. Any unauthenticated or unprivileged user who simply enters 0 as the channel password can access the content that was intended to be protected. This breaks the confidentiality guarantees of the channel password protection feature across all channels managed by administrators who use alphanumeric passwords. The impact is scoped to channel-level access control and does not enable account takeover or privilege escalation, but it renders the password protection feature entirely ineffective for the common case of non-numeric passwords.

Severity
5.1 (Medium)
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "wwbn/avideo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "25.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33297"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-19T17:25:34Z",
    "nvd_published_at": "2026-03-23T14:16:33Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nThe `setPassword.json.php` endpoint in the CustomizeUser plugin allows administrators to set a channel password for any user. Due to a logic error in how the submitted password value is processed, any password containing non-numeric characters is silently coerced to the integer zero before being stored. This means that regardless of the intended password, the stored channel password becomes 0, which any visitor can trivially guess to bypass channel-level access control.\n\n### Details\n\nThe endpoint correctly restricts access to administrators only, but the password value submitted via the ProfilePassword request parameter is processed with `intval()` before being passed to `User::setProfilePassword()`. The relevant code is:\n\n```php\n$obj-\u003eProfilePassword = intval(@$_REQUEST[\u0027ProfilePassword\u0027]);\n$obj-\u003eusers_id = $users_id;\n$obj-\u003eresponse = User::setProfilePassword($users_id, $obj-\u003eProfilePassword);\n```\n\nThe call to `intval()` on an alphanumeric string such as secretabc123 returns 0. This silently discards the intended password value and stores 0 as the channel password instead. Because the coercion is silent, the administrator receives no error or warning and has no indication that the password they set was not stored correctly. Any visitor to the channel who enters 0 as the password will be granted access, completely defeating the channel password protection feature.\n\nThis is not a case where a malicious admin deliberately sets a weak password. The vulnerability causes well-intentioned admins to unknowingly install a trivially guessable password on any channel for which they attempt to configure a non-numeric password.\n\n### PoC\n\n```bash\ncurl -s -X POST \"https://target.example.com/plugin/CustomizeUser/setPassword.json.php\" \\\n  -b \"PHPSESSID=\u003cadmin_session_cookie\u003e\" \\\n  -d \"users_id=42\u0026ProfilePassword=secretPassword123\"\n```\n\n```bash\ncurl -s -X POST \"https://target.example.com/channel_password_check_endpoint\" \\\n  -d \"users_id=42\u0026password=0\"\n```\n\n```python\nimport requests\n\nbase_url = \"https://target.example.com\"\nsession = requests.Session()\n\nsession.post(f\"{base_url}/login\", data={\"user\": \"admin\", \"pass\": \"adminpass\"})\n\nsession.post(\n    f\"{base_url}/plugin/CustomizeUser/setPassword.json.php\",\n    data={\"users_id\": \"42\", \"ProfilePassword\": \"mySuperSecretPassword\"}\n)\n\nresp = session.post(\n    f\"{base_url}/plugin/CustomizeUser/setPassword.json.php\",\n    data={\"users_id\": \"42\", \"ProfilePassword\": \"0\"}\n)\n\nprint(resp.text)\n```\n\n### Impact\n\nAny administrator who sets a channel password using a non-numeric string unknowingly reduces that password to 0. Any unauthenticated or unprivileged user who simply enters 0 as the channel password can access the content that was intended to be protected. This breaks the confidentiality guarantees of the channel password protection feature across all channels managed by administrators who use alphanumeric passwords. The impact is scoped to channel-level access control and does not enable account takeover or privilege escalation, but it renders the password protection feature entirely ineffective for the common case of non-numeric passwords.",
  "id": "GHSA-6547-8hrg-c55m",
  "modified": "2026-03-25T18:48:44Z",
  "published": "2026-03-19T17:25:34Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-6547-8hrg-c55m"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33297"
    },
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/commit/7a6a94631a0a18c313894395e6eb6703cca4abd0"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/WWBN/AVideo"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "AVideo: IDOR - Any Admin Can Set Another User\u0027s Channel Password via setPassword.json.php"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.