GHSA-G9CM-RXP7-6GV5

Vulnerability from github – Published: 2026-05-05 19:11 – Updated: 2026-05-13 14:19
VLAI?
Summary
AVideo: HTML Injection in notifySubscribers.json.php Allows Platform-Branded Phishing Emails to Channel Subscribers
Details

Summary

objects/notifySubscribers.json.php takes the raw message POST parameter and passes it into sendSiteEmail(), which substitutes it directly into an HTML email template (via str_replace on the {message} placeholder) and renders it with PHPMailer::msgHTML(). There is no HTML sanitization, character escaping, or output encoding on the attacker-controlled message between $_POST['message'] and the rendered email. Any authenticated user with upload permission can therefore broadcast arbitrary HTML — phishing links, tracking pixels, CSS/UI spoofing — to every subscriber on their channel (up to 10,000 recipients per invocation). The email is sent From: the platform's configured contact address and wrapped in the site's official logo and title, so attacker-supplied HTML arrives with the appearance of an official platform communication.

Details

File: objects/notifySubscribers.json.php

10: if (!User::canUpload()) {
11:     forbiddenPage('You can not notify');
12: }
13: forbidIfIsUntrustedRequest('notifySubscribers');
14: $user_id = User::getId();
15: // if admin bring all subscribers
16: if (User::isAdmin()) {
17:     $user_id = '';
18: }
19:
20: require_once 'subscribe.php';
21: setRowCount(10000);
...
23: $Subscribes = Subscribe::getAllSubscribes($user_id);
...
34: $subject = 'Message From Site ' . $config->getWebSiteTitle();
35: $message = $_POST['message'];
36:
37: $resp = sendSiteEmail($to, $subject, $message);

Controls present at the entry point:

  • User::canUpload() — gates access to any account that can upload (a baseline authenticated uploader role; in typical AVideo configurations where authCanUploadVideos is enabled, this is any logged-in user with a verified email).
  • forbidIfIsUntrustedRequest('notifySubscribers') — in objects/functionsSecurity.php:138-165, this delegates to isUntrustedRequest() which only validates same-origin via requestComesFromSameDomainAsMyAVideo() (objects/functionsAVideo.php:199-206), i.e. a Referer/Origin header check. It is not a CSRF token. An attacker acting on their own authenticated browser session trivially satisfies the Referer check.

There is no CAPTCHA, no rate limit, no per-recipient quota, and no unsubscribe link. setRowCount(10000) allows up to 10,000 subscriber rows to be pulled and mailed in a single request. For admin callers (User::isAdmin()$user_id = ''), Subscribe::getAllSubscribes('') returns the entire subscriber set for the platform rather than the caller's channel.

File: objects/functionsMail.php

 59: function sendSiteEmail($to, $subject, $message, $fromEmail = '', $fromName = '')
 60: {
 ...
 78:     $subject = UTF8encode($subject);
 79:     $message = UTF8encode($message);            // UTF-8 normalization, no HTML handling
 80:     $message = createEmailMessageFromTemplate($message);
 ...
119:             $mail = new \PHPMailer\PHPMailer\PHPMailer();
120:             setSiteSendMessage($mail);
...
125:             $systemEmail = $config->getContactEmail();
126:             $systemName  = $config->getWebSiteTitle();
...
136:             $mail->setFrom($systemEmail, !empty($fromName) ? $fromName : $systemName);
...
143:             $mail->msgHTML($message);           // renders as HTML
...
162:             $resp = $mail->send();

266: function createEmailMessageFromTemplate($message)
267: {
268:     if (preg_match("/html>/i", $message)) {
269:         return $message;                       // attacker-supplied full-HTML is returned verbatim
270:     }
...
274:     $text = file_get_contents("{$global['systemRootPath']}view/include/emailTemplate.html");
...
279:     $words   = [$logo, $message, $siteTitle];
280:     $replace = ['{logo}', '{message}', '{siteTitle}'];
281:
282:     return str_replace($replace, $words, $text);   // raw substitution into HTML template
283: }

Execution flow from attacker input to sink:

  1. $_POST['message']objects/notifySubscribers.json.php:35 (raw, no validation).
  2. sendSiteEmail($to, $subject, $message) at objects/notifySubscribers.json.php:37.
  3. UTF8encode($message) at objects/functionsMail.php:79 (encoding only; does not strip or escape HTML).
  4. createEmailMessageFromTemplate($message) at objects/functionsMail.php:80str_replace('{message}', $message, $text) at objects/functionsMail.php:282, substituting attacker HTML directly into the {message} placeholder in view/include/emailTemplate.html.
  5. $mail->msgHTML($message) at objects/functionsMail.php:143. PHPMailer renders the combined template (containing the attacker's unsanitized HTML) as an HTML email.
  6. The From: header is $config->getContactEmail() / $config->getWebSiteTitle() (objects/functionsMail.php:125-136). The template contains the platform's logo via getURL($config->getLogo()). The result is an attacker-controlled HTML body delivered from the platform's trusted sender address, officially branded.

Note that the preg_match("/html>/i", $message) at line 268 actively helps the attacker: any payload containing <html> short-circuits template substitution and is sent as-is, allowing the attacker to control the full email body including DOCTYPE, head, and body.

PoC

  1. Obtain an account with upload permission (on AVideo installations where authCanUploadVideos is enabled, any registered and email-verified user qualifies). An admin account broadens the recipient set to the entire platform rather than just the attacker's own subscribers.
  2. Ensure the attacker's channel has at least one subscriber (via Subscribe::getAllSubscribes($user_id)), or use an admin account to target all platform subscribers.
  3. Submit the request. The Referer header must match the platform origin to pass forbidIfIsUntrustedRequest (trivial when running from the attacker's own authenticated browser):
curl -b 'PHPSESSID=<uploader_session>' -X POST \
  -H 'Referer: https://target.example/' \
  'https://target.example/objects/notifySubscribers.json.php' \
  --data-urlencode 'message=<h1 style="color:#c00">Action Required: Verify Your Account</h1>
<p>Dear Subscriber,</p>
<p>We detected unusual activity on your account. Please
<a href="https://attacker.example/phish">click here to verify your identity within 24 hours</a>
or your account will be suspended.</p>
<p>Thank you,<br>The Support Team</p>
<img src="https://attacker.example/track.png" width="1" height="1">'
  1. Expected response:
{"error": false, "msg": ""}
  1. Every subscriber in the target set receives an HTML email:
  2. From: <contact@target.example> (the platform's configured contact email — not the attacker's address).
  3. Subject: Message From Site <SiteTitle> - <SiteTitle> (built at objects/notifySubscribers.json.php:34 + objects/functionsMail.php:138-141).

  4. Body: the view/include/emailTemplate.html template with the platform's real logo substituted at {logo} and the attacker's unsanitized HTML substituted at {message}, including the phishing anchor and tracking pixel.

  5. Delivery is batched via partition($to, $size) at objects/functionsMail.php:114-118 over up to 10,000 subscribers in a single request. There is no rate limit, CAPTCHA, confirmation step, or unsubscribe header.

Impact

  • Any authenticated uploader can weaponize the platform's own email infrastructure and brand (contact email, logo, site title) to deliver phishing content to their channel subscribers.
  • Because the From: address is the platform's canonical contact email and the template wraps the attacker content in the official logo and site title, recipients have no visible indication that the content originated from an uploader rather than the operator. Recipients who have previously received legitimate notifications from the same address are especially likely to trust the email.
  • Phishing payloads can include credential-stealing links mimicking password reset / account verification flows, tracking pixels that enumerate subscriber IPs and mail-client metadata, and CSS-based UI spoofing over the template.
  • An admin account (User::isAdmin()$user_id = '') expands the blast radius to every subscriber record on the platform, not just the attacker's own subscribers.
  • Up to 10,000 recipients per request with no rate limiting, CAPTCHA, or unsubscribe link, so a compromised or malicious uploader can sustain large phishing campaigns at minimal cost, while the sending IP reputation is borne by the platform operator.
  • A stolen uploader session (e.g., via an unrelated XSS or token leak) is sufficient to mount the attack; no additional credentials or admin access are required.

Recommended Fix

Sanitize or encode $_POST['message'] before it reaches PHPMailer::msgHTML(). Options, in order of preference:

  1. Reject HTML outright and force plain text. In objects/notifySubscribers.json.php:

php $message = $_POST['message'] ?? ''; // Strip all HTML; allow only newlines / plain text. $message = strip_tags($message); $message = nl2br(htmlspecialchars($message, ENT_QUOTES | ENT_HTML5, 'UTF-8'));

  1. Or allow a very restricted subset using a proven HTML sanitizer (e.g. HTMLPurifier with a minimal whitelist: p, br, strong, em, a[href|title], ul, ol, li), and forbid <script>, <style>, inline event handlers, <img>, <iframe>, data:/javascript: URIs, and framework-style template tokens.

  2. Additionally remove the preg_match("/html>/i", $message) short-circuit at objects/functionsMail.php:268-270, which lets a caller replace the entire email body by including a <html> tag. The template should always be applied.

  3. Defense in depth:

  4. Require a real anti-CSRF token on this endpoint (e.g. validateCSRF() with a per-session token in a header or POST field), and drop the Referer-only forbidIfIsUntrustedRequest as the sole protection.
  5. Require User::isAdmin() to notify subscribers from accounts not scoped to a channel; for non-admin uploaders, make the From display name clearly attribute the message to the uploader ("{uploaderName} via {siteTitle} <contact@site>" already works for non-system senders in objects/functionsMail.php:130-134 — apply the same attribution to subscriber notifications).
  6. Enforce per-account and per-IP rate limits on notifySubscribers.json.php (e.g. one broadcast per account per N hours, max M recipients per day).
  7. Include a List-Unsubscribe header and a per-recipient unsubscribe link.
  8. Add a preview + confirmation step before dispatch.
Severity ?
6.4 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "wwbn/avideo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "29.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-43876"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-05T19:11:32Z",
    "nvd_published_at": "2026-05-11T22:22:11Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n\n`objects/notifySubscribers.json.php` takes the raw `message` POST parameter and passes it into `sendSiteEmail()`, which substitutes it directly into an HTML email template (via `str_replace` on the `{message}` placeholder) and renders it with `PHPMailer::msgHTML()`. There is no HTML sanitization, character escaping, or output encoding on the attacker-controlled `message` between `$_POST[\u0027message\u0027]` and the rendered email. Any authenticated user with upload permission can therefore broadcast arbitrary HTML \u2014 phishing links, tracking pixels, CSS/UI spoofing \u2014 to every subscriber on their channel (up to 10,000 recipients per invocation). The email is sent From: the platform\u0027s configured contact address and wrapped in the site\u0027s official logo and title, so attacker-supplied HTML arrives with the appearance of an official platform communication.\n\n## Details\n\n**File:** `objects/notifySubscribers.json.php`\n\n```php\n10: if (!User::canUpload()) {\n11:     forbiddenPage(\u0027You can not notify\u0027);\n12: }\n13: forbidIfIsUntrustedRequest(\u0027notifySubscribers\u0027);\n14: $user_id = User::getId();\n15: // if admin bring all subscribers\n16: if (User::isAdmin()) {\n17:     $user_id = \u0027\u0027;\n18: }\n19:\n20: require_once \u0027subscribe.php\u0027;\n21: setRowCount(10000);\n...\n23: $Subscribes = Subscribe::getAllSubscribes($user_id);\n...\n34: $subject = \u0027Message From Site \u0027 . $config-\u003egetWebSiteTitle();\n35: $message = $_POST[\u0027message\u0027];\n36:\n37: $resp = sendSiteEmail($to, $subject, $message);\n```\n\nControls present at the entry point:\n\n- `User::canUpload()` \u2014 gates access to any account that can upload (a baseline authenticated uploader role; in typical AVideo configurations where `authCanUploadVideos` is enabled, this is any logged-in user with a verified email).\n- `forbidIfIsUntrustedRequest(\u0027notifySubscribers\u0027)` \u2014 in `objects/functionsSecurity.php:138-165`, this delegates to `isUntrustedRequest()` which only validates same-origin via `requestComesFromSameDomainAsMyAVideo()` (`objects/functionsAVideo.php:199-206`), i.e. a Referer/Origin header check. It is **not** a CSRF token. An attacker acting on their own authenticated browser session trivially satisfies the Referer check.\n\nThere is no CAPTCHA, no rate limit, no per-recipient quota, and no unsubscribe link. `setRowCount(10000)` allows up to 10,000 subscriber rows to be pulled and mailed in a single request. For admin callers (`User::isAdmin()` \u2192 `$user_id = \u0027\u0027`), `Subscribe::getAllSubscribes(\u0027\u0027)` returns the entire subscriber set for the platform rather than the caller\u0027s channel.\n\n**File:** `objects/functionsMail.php`\n\n```php\n 59: function sendSiteEmail($to, $subject, $message, $fromEmail = \u0027\u0027, $fromName = \u0027\u0027)\n 60: {\n ...\n 78:     $subject = UTF8encode($subject);\n 79:     $message = UTF8encode($message);            // UTF-8 normalization, no HTML handling\n 80:     $message = createEmailMessageFromTemplate($message);\n ...\n119:             $mail = new \\PHPMailer\\PHPMailer\\PHPMailer();\n120:             setSiteSendMessage($mail);\n...\n125:             $systemEmail = $config-\u003egetContactEmail();\n126:             $systemName  = $config-\u003egetWebSiteTitle();\n...\n136:             $mail-\u003esetFrom($systemEmail, !empty($fromName) ? $fromName : $systemName);\n...\n143:             $mail-\u003emsgHTML($message);           // renders as HTML\n...\n162:             $resp = $mail-\u003esend();\n```\n\n```php\n266: function createEmailMessageFromTemplate($message)\n267: {\n268:     if (preg_match(\"/html\u003e/i\", $message)) {\n269:         return $message;                       // attacker-supplied full-HTML is returned verbatim\n270:     }\n...\n274:     $text = file_get_contents(\"{$global[\u0027systemRootPath\u0027]}view/include/emailTemplate.html\");\n...\n279:     $words   = [$logo, $message, $siteTitle];\n280:     $replace = [\u0027{logo}\u0027, \u0027{message}\u0027, \u0027{siteTitle}\u0027];\n281:\n282:     return str_replace($replace, $words, $text);   // raw substitution into HTML template\n283: }\n```\n\nExecution flow from attacker input to sink:\n\n1. `$_POST[\u0027message\u0027]` \u2192 `objects/notifySubscribers.json.php:35` (raw, no validation).\n2. \u2192 `sendSiteEmail($to, $subject, $message)` at `objects/notifySubscribers.json.php:37`.\n3. \u2192 `UTF8encode($message)` at `objects/functionsMail.php:79` (encoding only; does not strip or escape HTML).\n4. \u2192 `createEmailMessageFromTemplate($message)` at `objects/functionsMail.php:80` \u2192 `str_replace(\u0027{message}\u0027, $message, $text)` at `objects/functionsMail.php:282`, substituting attacker HTML directly into the `{message}` placeholder in `view/include/emailTemplate.html`.\n5. \u2192 `$mail-\u003emsgHTML($message)` at `objects/functionsMail.php:143`. PHPMailer renders the combined template (containing the attacker\u0027s unsanitized HTML) as an HTML email.\n6. The `From:` header is `$config-\u003egetContactEmail()` / `$config-\u003egetWebSiteTitle()` (`objects/functionsMail.php:125-136`). The template contains the platform\u0027s logo via `getURL($config-\u003egetLogo())`. The result is an attacker-controlled HTML body delivered from the platform\u0027s trusted sender address, officially branded.\n\nNote that the `preg_match(\"/html\u003e/i\", $message)` at line 268 actively *helps* the attacker: any payload containing `\u003chtml\u003e` short-circuits template substitution and is sent as-is, allowing the attacker to control the full email body including DOCTYPE, head, and body.\n\n## PoC\n\n1. Obtain an account with upload permission (on AVideo installations where `authCanUploadVideos` is enabled, any registered and email-verified user qualifies). An admin account broadens the recipient set to the entire platform rather than just the attacker\u0027s own subscribers.\n2. Ensure the attacker\u0027s channel has at least one subscriber (via `Subscribe::getAllSubscribes($user_id)`), or use an admin account to target all platform subscribers.\n3. Submit the request. The `Referer` header must match the platform origin to pass `forbidIfIsUntrustedRequest` (trivial when running from the attacker\u0027s own authenticated browser):\n\n```bash\ncurl -b \u0027PHPSESSID=\u003cuploader_session\u003e\u0027 -X POST \\\n  -H \u0027Referer: https://target.example/\u0027 \\\n  \u0027https://target.example/objects/notifySubscribers.json.php\u0027 \\\n  --data-urlencode \u0027message=\u003ch1 style=\"color:#c00\"\u003eAction Required: Verify Your Account\u003c/h1\u003e\n\u003cp\u003eDear Subscriber,\u003c/p\u003e\n\u003cp\u003eWe detected unusual activity on your account. Please\n\u003ca href=\"https://attacker.example/phish\"\u003eclick here to verify your identity within 24 hours\u003c/a\u003e\nor your account will be suspended.\u003c/p\u003e\n\u003cp\u003eThank you,\u003cbr\u003eThe Support Team\u003c/p\u003e\n\u003cimg src=\"https://attacker.example/track.png\" width=\"1\" height=\"1\"\u003e\u0027\n```\n\n4. Expected response:\n\n```json\n{\"error\": false, \"msg\": \"\"}\n```\n\n5. Every subscriber in the target set receives an HTML email:\n   - `From:` `\u003ccontact@target.example\u003e` (the platform\u0027s configured contact email \u2014 not the attacker\u0027s address).\n   - `Subject:` `Message From Site \u003cSiteTitle\u003e - \u003cSiteTitle\u003e` (built at `objects/notifySubscribers.json.php:34` + `objects/functionsMail.php:138-141`).\n   - Body: the `view/include/emailTemplate.html` template with the platform\u0027s real logo substituted at `{logo}` and the attacker\u0027s unsanitized HTML substituted at `{message}`, including the phishing anchor and tracking pixel.\n\n6. Delivery is batched via `partition($to, $size)` at `objects/functionsMail.php:114-118` over up to 10,000 subscribers in a single request. There is no rate limit, CAPTCHA, confirmation step, or unsubscribe header.\n\n## Impact\n\n- Any authenticated uploader can weaponize the platform\u0027s own email infrastructure and brand (contact email, logo, site title) to deliver phishing content to their channel subscribers.\n- Because the `From:` address is the platform\u0027s canonical contact email and the template wraps the attacker content in the official logo and site title, recipients have no visible indication that the content originated from an uploader rather than the operator. Recipients who have previously received legitimate notifications from the same address are especially likely to trust the email.\n- Phishing payloads can include credential-stealing links mimicking password reset / account verification flows, tracking pixels that enumerate subscriber IPs and mail-client metadata, and CSS-based UI spoofing over the template.\n- An admin account (`User::isAdmin()` \u2192 `$user_id = \u0027\u0027`) expands the blast radius to every subscriber record on the platform, not just the attacker\u0027s own subscribers.\n- Up to 10,000 recipients per request with no rate limiting, CAPTCHA, or unsubscribe link, so a compromised or malicious uploader can sustain large phishing campaigns at minimal cost, while the sending IP reputation is borne by the platform operator.\n- A stolen uploader session (e.g., via an unrelated XSS or token leak) is sufficient to mount the attack; no additional credentials or admin access are required.\n\n## Recommended Fix\n\nSanitize or encode `$_POST[\u0027message\u0027]` before it reaches `PHPMailer::msgHTML()`. Options, in order of preference:\n\n1. **Reject HTML outright** and force plain text. In `objects/notifySubscribers.json.php`:\n\n   ```php\n   $message = $_POST[\u0027message\u0027] ?? \u0027\u0027;\n   // Strip all HTML; allow only newlines / plain text.\n   $message = strip_tags($message);\n   $message = nl2br(htmlspecialchars($message, ENT_QUOTES | ENT_HTML5, \u0027UTF-8\u0027));\n   ```\n\n2. **Or** allow a very restricted subset using a proven HTML sanitizer (e.g. `HTMLPurifier` with a minimal whitelist: `p, br, strong, em, a[href|title], ul, ol, li`), and forbid `\u003cscript\u003e`, `\u003cstyle\u003e`, inline event handlers, `\u003cimg\u003e`, `\u003ciframe\u003e`, `data:`/`javascript:` URIs, and framework-style template tokens.\n\n3. **Additionally** remove the `preg_match(\"/html\u003e/i\", $message)` short-circuit at `objects/functionsMail.php:268-270`, which lets a caller replace the entire email body by including a `\u003chtml\u003e` tag. The template should always be applied.\n\n4. **Defense in depth:**\n   - Require a real anti-CSRF token on this endpoint (e.g. `validateCSRF()` with a per-session token in a header or POST field), and drop the Referer-only `forbidIfIsUntrustedRequest` as the sole protection.\n   - Require `User::isAdmin()` to notify subscribers from accounts not scoped to a channel; for non-admin uploaders, make the `From` display name clearly attribute the message to the uploader (`\"{uploaderName} via {siteTitle} \u003ccontact@site\u003e\"` already works for non-system senders in `objects/functionsMail.php:130-134` \u2014 apply the same attribution to subscriber notifications).\n   - Enforce per-account and per-IP rate limits on `notifySubscribers.json.php` (e.g. one broadcast per account per N hours, max M recipients per day).\n   - Include a List-Unsubscribe header and a per-recipient unsubscribe link.\n   - Add a preview + confirmation step before dispatch.",
  "id": "GHSA-g9cm-rxp7-6gv5",
  "modified": "2026-05-13T14:19:33Z",
  "published": "2026-05-05T19:11:32Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-g9cm-rxp7-6gv5"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43876"
    },
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/commit/078c4342eb9969a70425a9cdca3eefa7f8a86d53"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/WWBN/AVideo"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "AVideo: HTML Injection in notifySubscribers.json.php Allows Platform-Branded Phishing Emails to Channel Subscribers"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.