Description
WWBN AVideo is an open source video platform. In versions 25.0 and below, /objects/phpsessionid.json.php exposes the current PHP session ID to any unauthenticated request. The allowOrigin() function reflects any Origin header back in Access-Control-Allow-Origin with Access-Control-Allow-Credentials: true, enabling cross-origin session theft and full account takeover. This issue has been fixed in version 26.0.
Published: 2026-03-20
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑origin session theft leading to account takeover
Action: Immediate Patch
AI Analysis

Impact

Unprivileged users can obtain the current PHP session ID for any visitor by sending an unauthenticated request to /objects/phpsessionid.json.php. The endpoint echoes the requested Origin header in the Access‑Control‑Allow‑Origin response and sets Access‑Control‑Allow‑Credentials to true, which allows a malicious site to send credentials across origins. The combination of an exposed session identifier and permissive CORS lets an attacker hijack a session and impersonate the account that owns that session, resulting in a full compromise of user credentials.

Affected Systems

The flaw exists in the WWBN AVideo platform in all releases up to and including version 25.0. Any deployment of these affected releases, regardless of hosting environment, is susceptible as long as the /objects/phpsessionid.json.php endpoint remains publicly reachable.

Risk and Exploitability

The CVSS score of 8.1 classifies this vulnerability as High severity. The EPSS rating of <1% indicates that exploitation is currently rare. The vulnerability is not listed in the CISA KEV catalog. An attacker only needs network access to the server, can send an unauthenticated HTTP request to the vulnerable endpoint, and can supply a crafted Origin header to obtain the session token and subsequently use it to perform cross‑origin requests that authenticate as the victim.

Generated by OpenCVE AI on March 23, 2026 at 16:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade AVideo to version 26.0 or later to eliminate the vulnerable endpoint and correct CORS handling.
  • If an upgrade is not immediately possible, configure the web server to block unauthenticated requests to /objects/phpsessionid.json.php or restrict that endpoint to trusted origins.
  • Modify the CORS policy so that Access‑Control‑Allow‑Origin is set to a predefined whitelist rather than reflecting the request header.
  • Monitor logs for unexpected Cross‑Origin requests that include session identifiers and investigate any suspicious activity.

Generated by OpenCVE AI on March 23, 2026 at 16:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-qc3p-398r-p59j AVideo affected by Session Hijacking via Unauthenticated Session ID Disclosure with Permissive CORS
History

Wed, 25 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Wwbn
Wwbn avideo
Vendors & Products Wwbn
Wwbn avideo

Fri, 20 Mar 2026 06:00:00 +0000

Type Values Removed Values Added
Description WWBN AVideo is an open source video platform. In versions 25.0 and below, /objects/phpsessionid.json.php exposes the current PHP session ID to any unauthenticated request. The allowOrigin() function reflects any Origin header back in Access-Control-Allow-Origin with Access-Control-Allow-Credentials: true, enabling cross-origin session theft and full account takeover. This issue has been fixed in version 26.0.
Title AVideo affected by Session Hijacking via Unauthenticated Session ID Disclosure with Permissive CORS
Weaknesses CWE-942
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N'}

Subscriptions

Wwbn Avideo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-25T13:55:29.106Z

Reserved: 2026-03-17T18:10:50.211Z

Link: CVE-2026-33043

cve-icon Vulnrichment

Updated: 2026-03-25T13:55:19.244Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T06:16:12.670

Modified: 2026-03-23T15:28:09.777

Link: CVE-2026-33043

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:30:18Z

Weaknesses