Description
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the plugin/CloneSite/client.log.php endpoint serves the clone operation log file without any authentication. Every other endpoint in the CloneSite plugin directory enforces User::isAdmin(). The log contains internal filesystem paths, remote server URLs, and SSH connection metadata.
Published: 2026-04-06
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Apply Patch
AI Analysis

Impact

The CloneSite plugin’s client.log.php endpoint fails to enforce authentication, allowing anyone to download the clone operation log. The log contains sensitive internal filesystem paths, URLs of remote servers, and SSH connection details, providing an attacker with configuration and exposure information that could aid further compromise. Because the data is available to unauthenticated users, this represents a clear information disclosure flaw.

Affected Systems

Vulnerable installations run WWBN AVideo version 26.0 or earlier and employ the CloneSite plugin without an update that secures client.log.php. All such instances that have not migrated to a newer release that requires administrative authentication are at risk, regardless of other security controls within the plugin.

Risk and Exploitability

The flaw carries a CVSS score of 5.3, indicating moderate severity. The probability of exploitation is low, with an EPSS percentile below 1%. The path to disclosure is straightforward: a simple HTTP GET request to /plugin/CloneSite/client.log.php. In environments where attackers could later use the gathered configuration, the impact could extend to component exploitation or privilege escalation.

Generated by OpenCVE AI on April 14, 2026 at 16:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to the latest AVideo release that requires authentication for client.log.php
  • Verify that the endpoint no longer serves log files without requiring administrative access
  • If an immediate update is not feasible, restrict web access to the CloneSite directory using server configuration (e.g., .htaccess, firewall, or IP filtering)

Generated by OpenCVE AI on April 14, 2026 at 16:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-99j6-hj87-6fcf AVideo: Unauthenticated Information Disclosure via Missing Auth on CloneSite client.log.php
History

Tue, 14 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*

Wed, 08 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Wwbn
Wwbn avideo
Vendors & Products Wwbn
Wwbn avideo

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description WWBN AVideo is an open source video platform. In versions 26.0 and prior, the plugin/CloneSite/client.log.php endpoint serves the clone operation log file without any authentication. Every other endpoint in the CloneSite plugin directory enforces User::isAdmin(). The log contains internal filesystem paths, remote server URLs, and SSH connection metadata.
Title WWBN AVideo has Unauthenticated Information Disclosure via Missing Auth on CloneSite client.log.php
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Wwbn Avideo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-08T14:08:17.131Z

Reserved: 2026-04-02T19:25:52.192Z

Link: CVE-2026-35452

cve-icon Vulnrichment

Updated: 2026-04-08T14:08:14.071Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-06T22:16:23.610

Modified: 2026-04-14T15:37:41.140

Link: CVE-2026-35452

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T16:30:09Z

Weaknesses