GHSA-96QP-8CMQ-JVQ8

Vulnerability from github – Published: 2026-03-20 20:57 – Updated: 2026-03-25 20:31
VLAI?
Summary
AVideo has Unauthenticated Information Disclosure of User Group Permission Mappings via Permissions Plugin
Details

Summary

The endpoint plugin/Permissions/View/Users_groups_permissions/list.json.php lacks any authentication or authorization check, allowing unauthenticated users to retrieve the complete permission matrix mapping user groups to plugins. All sibling endpoints in the same directory (add.json.php, delete.json.php, index.php) properly require User::isAdmin(), indicating this is an oversight.

Details

The vulnerable file at plugin/Permissions/View/Users_groups_permissions/list.json.php:1-7 contains:

<?php
require_once '../../../../videos/configuration.php';
require_once $global['systemRootPath'] . 'plugin/Permissions/Objects/Users_groups_permissions.php';
header('Content-Type: application/json');

$rows = Users_groups_permissions::getAll();
?>
{"data": <?php echo json_encode($rows); ?>}

This calls ObjectYPT::getAll() (defined in objects/Object.php:98-111), which executes:

$sql = "SELECT * FROM  " . static::getTableName() . " WHERE 1=1 ";
$sql .= self::getSqlFromPost();

This returns all rows from the users_groups_permissions table as JSON with no access control.

Compare with the sibling add.json.php:10-15 and delete.json.php:9-14, which both enforce:

$plugin = AVideoPlugin::loadPluginIfEnabled('Permissions');
if(!User::isAdmin()){
    $obj->msg = "You cant do this";
    die(json_encode($obj));
}

Similarly, index.php:6-8 (the admin page that loads this data via AJAX) checks:

if (!User::isAdmin()) {
    forbiddenPage("You can not do this");
    exit;
}

No .htaccess or web server configuration restricts direct access to this endpoint.

PoC

# Retrieve complete permission mappings without authentication
curl -s https://target/plugin/Permissions/View/Users_groups_permissions/list.json.php

Expected response (admin-only data):

{"data": [{"id":"1","name":null,"users_groups_id":"2","plugins_id":"5","type":"1","status":"a"}, ...]}

Each row reveals: - users_groups_id — numeric ID of a user group - plugins_id — numeric ID of an installed plugin - type — the permission level granted - status — whether the permission is active (a) or inactive

The getSqlFromPost() method also processes $_POST['sort'] and $_GET parameters, allowing an attacker to paginate and sort results to extract all data systematically.

Impact

An unauthenticated attacker can enumerate the complete authorization model of the AVideo instance:

  • All user group IDs and which plugins each group can access
  • All installed plugin IDs and their permission configurations
  • Permission types and active/inactive status for each group-plugin pair

This information provides a detailed roadmap of the application's authorization architecture, significantly aiding targeted privilege escalation, as an attacker would know exactly which groups have access to which plugins and what permission types are assigned. While not directly exploitable for data modification, it reduces the attacker's effort for follow-up attacks.

Recommended Fix

Add the same admin authorization check used by the sibling endpoints. In plugin/Permissions/View/Users_groups_permissions/list.json.php:

<?php
require_once '../../../../videos/configuration.php';
require_once $global['systemRootPath'] . 'plugin/Permissions/Objects/Users_groups_permissions.php';
header('Content-Type: application/json');

$plugin = AVideoPlugin::loadPluginIfEnabled('Permissions');
if(!User::isAdmin()){
    die(json_encode(['error' => true, 'msg' => 'You cant do this']));
}

$rows = Users_groups_permissions::getAll();
?>
{"data": <?php echo json_encode($rows); ?>}
Severity ?
5.3 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "wwbn/avideo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "26.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33501"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-20T20:57:43Z",
    "nvd_published_at": "2026-03-23T17:16:51Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nThe endpoint `plugin/Permissions/View/Users_groups_permissions/list.json.php` lacks any authentication or authorization check, allowing unauthenticated users to retrieve the complete permission matrix mapping user groups to plugins. All sibling endpoints in the same directory (`add.json.php`, `delete.json.php`, `index.php`) properly require `User::isAdmin()`, indicating this is an oversight.\n\n## Details\n\nThe vulnerable file at `plugin/Permissions/View/Users_groups_permissions/list.json.php:1-7` contains:\n\n```php\n\u003c?php\nrequire_once \u0027../../../../videos/configuration.php\u0027;\nrequire_once $global[\u0027systemRootPath\u0027] . \u0027plugin/Permissions/Objects/Users_groups_permissions.php\u0027;\nheader(\u0027Content-Type: application/json\u0027);\n\n$rows = Users_groups_permissions::getAll();\n?\u003e\n{\"data\": \u003c?php echo json_encode($rows); ?\u003e}\n```\n\nThis calls `ObjectYPT::getAll()` (defined in `objects/Object.php:98-111`), which executes:\n\n```php\n$sql = \"SELECT * FROM  \" . static::getTableName() . \" WHERE 1=1 \";\n$sql .= self::getSqlFromPost();\n```\n\nThis returns all rows from the `users_groups_permissions` table as JSON with no access control.\n\nCompare with the sibling `add.json.php:10-15` and `delete.json.php:9-14`, which both enforce:\n\n```php\n$plugin = AVideoPlugin::loadPluginIfEnabled(\u0027Permissions\u0027);\nif(!User::isAdmin()){\n    $obj-\u003emsg = \"You cant do this\";\n    die(json_encode($obj));\n}\n```\n\nSimilarly, `index.php:6-8` (the admin page that loads this data via AJAX) checks:\n\n```php\nif (!User::isAdmin()) {\n    forbiddenPage(\"You can not do this\");\n    exit;\n}\n```\n\nNo `.htaccess` or web server configuration restricts direct access to this endpoint.\n\n## PoC\n\n```bash\n# Retrieve complete permission mappings without authentication\ncurl -s https://target/plugin/Permissions/View/Users_groups_permissions/list.json.php\n```\n\n**Expected response (admin-only data):**\n```json\n{\"data\": [{\"id\":\"1\",\"name\":null,\"users_groups_id\":\"2\",\"plugins_id\":\"5\",\"type\":\"1\",\"status\":\"a\"}, ...]}\n```\n\nEach row reveals:\n- `users_groups_id` \u2014 numeric ID of a user group\n- `plugins_id` \u2014 numeric ID of an installed plugin\n- `type` \u2014 the permission level granted\n- `status` \u2014 whether the permission is active (`a`) or inactive\n\nThe `getSqlFromPost()` method also processes `$_POST[\u0027sort\u0027]` and `$_GET` parameters, allowing an attacker to paginate and sort results to extract all data systematically.\n\n## Impact\n\nAn unauthenticated attacker can enumerate the complete authorization model of the AVideo instance:\n\n- **All user group IDs** and which plugins each group can access\n- **All installed plugin IDs** and their permission configurations\n- **Permission types and active/inactive status** for each group-plugin pair\n\nThis information provides a detailed roadmap of the application\u0027s authorization architecture, significantly aiding targeted privilege escalation, as an attacker would know exactly which groups have access to which plugins and what permission types are assigned. While not directly exploitable for data modification, it reduces the attacker\u0027s effort for follow-up attacks.\n\n## Recommended Fix\n\nAdd the same admin authorization check used by the sibling endpoints. In `plugin/Permissions/View/Users_groups_permissions/list.json.php`:\n\n```php\n\u003c?php\nrequire_once \u0027../../../../videos/configuration.php\u0027;\nrequire_once $global[\u0027systemRootPath\u0027] . \u0027plugin/Permissions/Objects/Users_groups_permissions.php\u0027;\nheader(\u0027Content-Type: application/json\u0027);\n\n$plugin = AVideoPlugin::loadPluginIfEnabled(\u0027Permissions\u0027);\nif(!User::isAdmin()){\n    die(json_encode([\u0027error\u0027 =\u003e true, \u0027msg\u0027 =\u003e \u0027You cant do this\u0027]));\n}\n\n$rows = Users_groups_permissions::getAll();\n?\u003e\n{\"data\": \u003c?php echo json_encode($rows); ?\u003e}\n```",
  "id": "GHSA-96qp-8cmq-jvq8",
  "modified": "2026-03-25T20:31:42Z",
  "published": "2026-03-20T20:57:43Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-96qp-8cmq-jvq8"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33501"
    },
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/commit/b583acdc9a9d1eab461543caa363e1a104fb4516"
    },
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/commit/dc3c825734628bb32550d0daa125f05bacb6829c"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/WWBN/AVideo"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "AVideo has Unauthenticated Information Disclosure of User Group Permission Mappings via Permissions Plugin"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.