Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `plugin/Live/uploadPoster.php` endpoint allows any authenticated user to overwrite the poster image for any scheduled live stream by supplying an arbitrary `live_schedule_id`. The endpoint only checks `User::isLogged()` but never verifies that the authenticated user owns the targeted schedule. After overwriting the poster, the endpoint broadcasts a `socketLiveOFFCallback` notification containing the victim's broadcast key and user ID to all connected WebSocket clients. Commit 5fcb3bdf59f26d65e203cfbc8a685356ba300b60 fixes the issue.
Published: 2026-03-27
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Modification of Live Stream Posters
Action: Apply Patch
AI Analysis

Impact

The vulnerability is an IDOR in the Live uploadPoster.php script. Any authenticated user can submit a request with an arbitrary live_schedule_id, overriding the poster image for the target scheduled live stream. After the image is changed, the endpoint broadcasts a socketLiveOFFCallback notification that includes the victim’s broadcast key and user ID to every connected WebSocket client. This allows an attacker to tamper with other users’ live streams and potentially expose sensitive identifiers. The weakness is classified as CWE‑862.

Affected Systems

This flaw exists in WWBN’s AVideo platform through version 26.0. It affects all deployments of the open‑source media platform that run the legacy uploadPoster.php handler under the Live module.

Risk and Exploitability

The CVSS score of 5.4 indicates moderate severity, and the EPSS score of less than 1 % suggests low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires only an authenticated session; any user with valid credentials can issue a simple HTTP/HTTPS POST to the endpoint with a chosen live_schedule_id. The attacker can overwrite the poster and trigger false socket notifications, but cannot gain remote code execution or full system compromise. The impact is limited to data integrity and potential social‑engineering of stream recipients.

Generated by OpenCVE AI on March 31, 2026 at 17:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update AVideo to version 26.1 or later with commit 5fcb3bdf59f26d65e203cfbc8a685356ba300b60 applied.

Generated by OpenCVE AI on March 31, 2026 at 17:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-g3hj-mf85-679g AVideo: IDOR in uploadPoster.php Allows Any Authenticated User to Overwrite Scheduled Live Stream Posters and Trigger False Socket Notifications
History

Tue, 31 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*

Mon, 30 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Wwbn
Wwbn avideo
Vendors & Products Wwbn
Wwbn avideo

Fri, 27 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 17:00:00 +0000

Type Values Removed Values Added
Description WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `plugin/Live/uploadPoster.php` endpoint allows any authenticated user to overwrite the poster image for any scheduled live stream by supplying an arbitrary `live_schedule_id`. The endpoint only checks `User::isLogged()` but never verifies that the authenticated user owns the targeted schedule. After overwriting the poster, the endpoint broadcasts a `socketLiveOFFCallback` notification containing the victim's broadcast key and user ID to all connected WebSocket clients. Commit 5fcb3bdf59f26d65e203cfbc8a685356ba300b60 fixes the issue.
Title AVideo's IDOR in uploadPoster.php Allows Any Authenticated User to Overwrite Scheduled Live Stream Posters and Trigger False Socket Notifications
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Wwbn Avideo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-27T17:29:15.757Z

Reserved: 2026-03-26T16:22:29.035Z

Link: CVE-2026-34247

cve-icon Vulnrichment

Updated: 2026-03-27T17:29:11.812Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-27T17:16:30.213

Modified: 2026-03-31T16:36:54.520

Link: CVE-2026-34247

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T20:00:57Z

Weaknesses