GHSA-73GR-R64Q-7JH4

Vulnerability from github – Published: 2026-03-30 17:49 – Updated: 2026-03-30 17:49
VLAI?
Summary
AVideo has User Group-Based Category Access Control Bypass via Missing and Broken Group Filtering in categories.json.php
Details

Summary

The categories.json.php endpoint, which serves the category listing API, fails to enforce user group-based access controls on categories. In the default request path (no ?user= parameter), user group filtering is entirely skipped, exposing all non-private categories including those restricted to specific user groups. When the ?user= parameter is supplied, a type confusion bug causes the filter to use the admin user's (user_id=1) group memberships instead of the current user's, rendering the filter ineffective.

Details

The vulnerability has two related failures in objects/categories.json.php and objects/category.php:

1. Default request — group filtering completely skipped

In categories.json.php:17-24, when $_GET['user'] is not set, $sameUserGroupAsMe defaults to false:

// categories.json.php:17-24
$onlyWithVideos = false;
$sameUserGroupAsMe = false;
if(!empty($_GET['user'])){
    $onlyWithVideos = true;
    $sameUserGroupAsMe = true;
}
$categories = Category::getAllCategories(true, $onlyWithVideos, false, $sameUserGroupAsMe);

In category.php:438-452, the user group filter is gated on $sameUserGroupAsMe being truthy:

// category.php:438-452
if ($sameUserGroupAsMe) {
    $users_groups = UserGroups::getUserGroups($sameUserGroupAsMe);
    $users_groups_id = array(0);
    foreach ($users_groups as $value) {
        $users_groups_id[] = $value['id'];
    }
    $sql .= " AND ("
        . "(SELECT count(*) FROM categories_has_users_groups chug WHERE c.id = chug.categories_id) = 0 OR "
        . "(SELECT count(*) FROM categories_has_users_groups chug2 WHERE c.id = chug2.categories_id AND users_groups_id IN (" . implode(',', $users_groups_id) . ")) >= 1 "
        . ")";
}

Since $sameUserGroupAsMe = false, the entire block is skipped. All non-private categories are returned regardless of their user group restrictions set via the categories_has_users_groups table.

2. With ?user= parameter — boolean-to-integer type confusion

When $_GET['user'] is non-empty, $sameUserGroupAsMe is set to boolean true (line 21). This value is passed to UserGroups::getUserGroups($sameUserGroupAsMe) at category.php:440.

In userGroups.php:349-379, the parameter is used as $users_id:

// userGroups.php:349,371,379
public static function getUserGroups($users_id){
    // ...
    $sql = "SELECT uug.*, ug.* FROM users_groups ug"
            . " LEFT JOIN users_has_users_groups uug ON users_groups_id = ug.id WHERE users_id = ? ";
    // ...
    $res = sqlDAL::readSql($sql, "i", [$users_id]);

PHP casts boolean true to integer 1 for the prepared statement bind, resulting in WHERE users_id = 1 — fetching the admin user's group memberships. The filter then allows categories visible to admin groups, effectively granting any unauthenticated user the admin's category visibility.

3. getTotalCategories also unfiltered

getTotalCategories() at category.php:978 does not accept a $sameUserGroupAsMe parameter at all, so the total count always reflects the unfiltered category set.

The endpoint requires no authentication — it uses allowOrigin() (a CORS header helper) and is publicly routable via the .htaccess rewrite rule: RewriteRule ^categories.json$ objects/categories.json.php.

PoC

# 1. Fetch all categories without authentication — no group filtering applied
curl -s 'https://target/categories.json' | jq '.rows[] | {id, name, private, users_groups_ids_array}'

# Returns ALL non-private categories including those restricted to specific user groups.
# The users_groups_ids_array field reveals which groups each category is restricted to.
# Categories with non-empty users_groups_ids_array should be hidden from users not in those groups.

# 2. Attempt the "filtered" path — still broken due to boolean->int cast
curl -s 'https://target/categories.json?user=1' | jq '.rows[] | {id, name, private, users_groups_ids_array}'

# This applies group filtering but uses admin's groups (users_id=1) instead of the
# current user's groups, so group-restricted categories visible to admin are exposed.

Impact

Any unauthenticated user can:

  • Enumerate all non-private categories regardless of user group restrictions, bypassing the intended access control model where categories are restricted to specific user groups via the CustomizeUser plugin's categories_has_users_groups table.
  • Discover the user group configuration for each category via the users_groups_ids_array field in the response, revealing the internal access control structure.
  • Identify group-restricted content areas that should be hidden, which could be used to target further access control bypasses on the videos within those categories.

The severity is Medium because this is an information disclosure of category metadata (names, descriptions, icons, group assignments) rather than the actual video content within restricted categories. However, the exposure of the access control structure itself (which groups have access to which categories) is a meaningful information leak.

Recommended Fix

In objects/categories.json.php, pass the current user's ID (or 0 for unauthenticated users) instead of a boolean:

// categories.json.php — replace lines 17-24
$onlyWithVideos = false;
$sameUserGroupAsMe = false;
if(!empty($_GET['user'])){
    $onlyWithVideos = true;
}
// Always apply user group filtering using the logged-in user's ID
$currentUserId = User::getId();
if (!empty($currentUserId)) {
    $sameUserGroupAsMe = $currentUserId;
} else {
    // For unauthenticated users, pass a value that will filter to only
    // categories with no group restrictions
    $sameUserGroupAsMe = -1; // Non-existent user ID, will match no groups
}

$categories = Category::getAllCategories(true, $onlyWithVideos, false, $sameUserGroupAsMe);

Additionally, in category.php:getAllCategories(), ensure the group filter block always runs when categories have group restrictions, not only when $sameUserGroupAsMe is truthy. A more robust approach:

// category.php — replace the sameUserGroupAsMe block (lines 438-452)
// Always filter by user groups if any categories have group restrictions
$users_groups_id = array(0);
if ($sameUserGroupAsMe && $sameUserGroupAsMe > 0) {
    $users_groups = UserGroups::getUserGroups($sameUserGroupAsMe);
    foreach ($users_groups as $value) {
        $users_groups_id[] = $value['id'];
    }
}
$sql .= " AND ("
    . "(SELECT count(*) FROM categories_has_users_groups chug WHERE c.id = chug.categories_id) = 0 OR "
    . "(SELECT count(*) FROM categories_has_users_groups chug2 WHERE c.id = chug2.categories_id AND users_groups_id IN (" . implode(',', $users_groups_id) . ")) >= 1 "
    . ")";

This ensures that even when no user is logged in, categories with group restrictions are hidden (only categories with zero group restrictions are shown). The getTotalCategories() function should also be updated to accept and apply the same $sameUserGroupAsMe filter.

Severity ?
5.3 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "wwbn/avideo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "26.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-34364"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-30T17:49:57Z",
    "nvd_published_at": "2026-03-27T18:16:05Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nThe `categories.json.php` endpoint, which serves the category listing API, fails to enforce user group-based access controls on categories. In the default request path (no `?user=` parameter), user group filtering is entirely skipped, exposing all non-private categories including those restricted to specific user groups. When the `?user=` parameter is supplied, a type confusion bug causes the filter to use the admin user\u0027s (user_id=1) group memberships instead of the current user\u0027s, rendering the filter ineffective.\n\n## Details\n\nThe vulnerability has two related failures in `objects/categories.json.php` and `objects/category.php`:\n\n**1. Default request \u2014 group filtering completely skipped**\n\nIn `categories.json.php:17-24`, when `$_GET[\u0027user\u0027]` is not set, `$sameUserGroupAsMe` defaults to `false`:\n\n```php\n// categories.json.php:17-24\n$onlyWithVideos = false;\n$sameUserGroupAsMe = false;\nif(!empty($_GET[\u0027user\u0027])){\n    $onlyWithVideos = true;\n    $sameUserGroupAsMe = true;\n}\n$categories = Category::getAllCategories(true, $onlyWithVideos, false, $sameUserGroupAsMe);\n```\n\nIn `category.php:438-452`, the user group filter is gated on `$sameUserGroupAsMe` being truthy:\n\n```php\n// category.php:438-452\nif ($sameUserGroupAsMe) {\n    $users_groups = UserGroups::getUserGroups($sameUserGroupAsMe);\n    $users_groups_id = array(0);\n    foreach ($users_groups as $value) {\n        $users_groups_id[] = $value[\u0027id\u0027];\n    }\n    $sql .= \" AND (\"\n        . \"(SELECT count(*) FROM categories_has_users_groups chug WHERE c.id = chug.categories_id) = 0 OR \"\n        . \"(SELECT count(*) FROM categories_has_users_groups chug2 WHERE c.id = chug2.categories_id AND users_groups_id IN (\" . implode(\u0027,\u0027, $users_groups_id) . \")) \u003e= 1 \"\n        . \")\";\n}\n```\n\nSince `$sameUserGroupAsMe = false`, the entire block is skipped. All non-private categories are returned regardless of their user group restrictions set via the `categories_has_users_groups` table.\n\n**2. With `?user=` parameter \u2014 boolean-to-integer type confusion**\n\nWhen `$_GET[\u0027user\u0027]` is non-empty, `$sameUserGroupAsMe` is set to boolean `true` (line 21). This value is passed to `UserGroups::getUserGroups($sameUserGroupAsMe)` at `category.php:440`.\n\nIn `userGroups.php:349-379`, the parameter is used as `$users_id`:\n\n```php\n// userGroups.php:349,371,379\npublic static function getUserGroups($users_id){\n    // ...\n    $sql = \"SELECT uug.*, ug.* FROM users_groups ug\"\n            . \" LEFT JOIN users_has_users_groups uug ON users_groups_id = ug.id WHERE users_id = ? \";\n    // ...\n    $res = sqlDAL::readSql($sql, \"i\", [$users_id]);\n```\n\nPHP casts boolean `true` to integer `1` for the prepared statement bind, resulting in `WHERE users_id = 1` \u2014 fetching the **admin user\u0027s** group memberships. The filter then allows categories visible to admin groups, effectively granting any unauthenticated user the admin\u0027s category visibility.\n\n**3. getTotalCategories also unfiltered**\n\n`getTotalCategories()` at `category.php:978` does not accept a `$sameUserGroupAsMe` parameter at all, so the total count always reflects the unfiltered category set.\n\nThe endpoint requires no authentication \u2014 it uses `allowOrigin()` (a CORS header helper) and is publicly routable via the `.htaccess` rewrite rule: `RewriteRule ^categories.json$ objects/categories.json.php`.\n\n## PoC\n\n```bash\n# 1. Fetch all categories without authentication \u2014 no group filtering applied\ncurl -s \u0027https://target/categories.json\u0027 | jq \u0027.rows[] | {id, name, private, users_groups_ids_array}\u0027\n\n# Returns ALL non-private categories including those restricted to specific user groups.\n# The users_groups_ids_array field reveals which groups each category is restricted to.\n# Categories with non-empty users_groups_ids_array should be hidden from users not in those groups.\n\n# 2. Attempt the \"filtered\" path \u2014 still broken due to boolean-\u003eint cast\ncurl -s \u0027https://target/categories.json?user=1\u0027 | jq \u0027.rows[] | {id, name, private, users_groups_ids_array}\u0027\n\n# This applies group filtering but uses admin\u0027s groups (users_id=1) instead of the\n# current user\u0027s groups, so group-restricted categories visible to admin are exposed.\n```\n\n## Impact\n\nAny unauthenticated user can:\n\n- **Enumerate all non-private categories** regardless of user group restrictions, bypassing the intended access control model where categories are restricted to specific user groups via the CustomizeUser plugin\u0027s `categories_has_users_groups` table.\n- **Discover the user group configuration** for each category via the `users_groups_ids_array` field in the response, revealing the internal access control structure.\n- **Identify group-restricted content areas** that should be hidden, which could be used to target further access control bypasses on the videos within those categories.\n\nThe severity is Medium because this is an information disclosure of category metadata (names, descriptions, icons, group assignments) rather than the actual video content within restricted categories. However, the exposure of the access control structure itself (which groups have access to which categories) is a meaningful information leak.\n\n## Recommended Fix\n\nIn `objects/categories.json.php`, pass the current user\u0027s ID (or 0 for unauthenticated users) instead of a boolean:\n\n```php\n// categories.json.php \u2014 replace lines 17-24\n$onlyWithVideos = false;\n$sameUserGroupAsMe = false;\nif(!empty($_GET[\u0027user\u0027])){\n    $onlyWithVideos = true;\n}\n// Always apply user group filtering using the logged-in user\u0027s ID\n$currentUserId = User::getId();\nif (!empty($currentUserId)) {\n    $sameUserGroupAsMe = $currentUserId;\n} else {\n    // For unauthenticated users, pass a value that will filter to only\n    // categories with no group restrictions\n    $sameUserGroupAsMe = -1; // Non-existent user ID, will match no groups\n}\n\n$categories = Category::getAllCategories(true, $onlyWithVideos, false, $sameUserGroupAsMe);\n```\n\nAdditionally, in `category.php:getAllCategories()`, ensure the group filter block always runs when categories have group restrictions, not only when `$sameUserGroupAsMe` is truthy. A more robust approach:\n\n```php\n// category.php \u2014 replace the sameUserGroupAsMe block (lines 438-452)\n// Always filter by user groups if any categories have group restrictions\n$users_groups_id = array(0);\nif ($sameUserGroupAsMe \u0026\u0026 $sameUserGroupAsMe \u003e 0) {\n    $users_groups = UserGroups::getUserGroups($sameUserGroupAsMe);\n    foreach ($users_groups as $value) {\n        $users_groups_id[] = $value[\u0027id\u0027];\n    }\n}\n$sql .= \" AND (\"\n    . \"(SELECT count(*) FROM categories_has_users_groups chug WHERE c.id = chug.categories_id) = 0 OR \"\n    . \"(SELECT count(*) FROM categories_has_users_groups chug2 WHERE c.id = chug2.categories_id AND users_groups_id IN (\" . implode(\u0027,\u0027, $users_groups_id) . \")) \u003e= 1 \"\n    . \")\";\n```\n\nThis ensures that even when no user is logged in, categories with group restrictions are hidden (only categories with zero group restrictions are shown). The `getTotalCategories()` function should also be updated to accept and apply the same `$sameUserGroupAsMe` filter.",
  "id": "GHSA-73gr-r64q-7jh4",
  "modified": "2026-03-30T17:49:57Z",
  "published": "2026-03-30T17:49:57Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-73gr-r64q-7jh4"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34364"
    },
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/commit/6e8a673eed07be5628d0b60fbfabd171f3ce74c9"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/WWBN/AVideo"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "AVideo has User Group-Based Category Access Control Bypass via Missing and Broken Group Filtering in categories.json.php"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.