Description
WWBN AVideo is an open source video platform. In versions 29.0 and prior, `objects/configurationUpdate.json.php` (also routed via `/updateConfig`) persists dozens of global site settings from `$_POST` but protects the endpoint only with `User::isAdmin()`. It does not call `forbidIfIsUntrustedRequest()`, does not verify a `globalToken`, and does not validate the Origin/Referer header. Because AVideo intentionally sets `session.cookie_samesite=None` to support cross-origin iframe embedding, a logged-in administrator who visits an attacker-controlled page will have the browser auto-submit a cross-origin POST that rewrites the site's encoder URL, SMTP credentials, site `<head>` HTML, logo, favicon, contact email, and more in a single request. Commit f9492f5e6123dff0292d5bb3164fde7665dc36b4 contains a fix.
Published: 2026-04-21
Score: 8.3 High
EPSS: < 1% Very Low
KEV: No
Impact: Full Site Configuration Tampering
Action: Immediate Patch
AI Analysis

Impact

A cross‑site request forgery flaw exists in the configurationUpdate.json.php endpoint of WWBN AVideo. The code uses only User::isAdmin() to protect the endpoint and ignores CSRF mitigations such as forbidIfIsUntrustedRequest, a globalToken, and Origin/Referer headers. Because the application sets session.cookie_samesite=None, a logged‑in administrator can be induced to issue a cross‑origin POST that changes global site settings, including encoder URL, SMTP credentials, header HTML, logo, favicon, and contact email.

Affected Systems

The flaw affects versions 29.0 and earlier of the WWBN AVideo open‑source video platform. No later releases have been verified to contain the vulnerability; the fix appears in commit f9492f5e6123dff0292d5bb3164fde7665dc36b4. Systems running affected versions should be upgraded promptly.

Risk and Exploitability

The CVSS score of 8.3 indicates high severity, and the vulnerability can be exploited by an attacker without additional privileges beyond an administrator account. EPSS information is unavailable and the issue is not listed in CISA’s KEV catalog, but the absence of CSRF protections combined with the browser’s cookie policy allows a malicious page to automatically submit the takeover request. The operation gives the attacker control over SMTP credentials, encoder URL, and site branding elements.

Generated by OpenCVE AI on April 22, 2026 at 06:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade AVideo to any version newer than 29.0, applying the patch in commit f9492f5e6123dff0292d5bb3164fde7665dc36b4.
  • If an upgrade cannot be performed immediately, restrict the /updateConfig endpoint to same‑origin requests by enabling Origin/Referer checks and enforcing CSRF tokens.
  • Consider disabling session.cookie_samesite=None or adopting a stricter cookie policy if cross‑origin iframe embedding is not essential.
  • Rotate administrator credentials after applying the patch in case they were exposed.

Generated by OpenCVE AI on April 22, 2026 at 06:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 04:30:00 +0000

Type Values Removed Values Added
First Time appeared Wwbn
Wwbn avideo
Vendors & Products Wwbn
Wwbn avideo

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description WWBN AVideo is an open source video platform. In versions 29.0 and prior, `objects/configurationUpdate.json.php` (also routed via `/updateConfig`) persists dozens of global site settings from `$_POST` but protects the endpoint only with `User::isAdmin()`. It does not call `forbidIfIsUntrustedRequest()`, does not verify a `globalToken`, and does not validate the Origin/Referer header. Because AVideo intentionally sets `session.cookie_samesite=None` to support cross-origin iframe embedding, a logged-in administrator who visits an attacker-controlled page will have the browser auto-submit a cross-origin POST that rewrites the site's encoder URL, SMTP credentials, site `<head>` HTML, logo, favicon, contact email, and more in a single request. Commit f9492f5e6123dff0292d5bb3164fde7665dc36b4 contains a fix.
Title WWBN AVideo has CSRF in configurationUpdate.json.php Enables Full Site Configuration Takeover Including Encoder URL and SMTP Credentials
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 8.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Subscriptions

Wwbn Avideo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-21T20:35:55.243Z

Reserved: 2026-04-15T20:40:15.517Z

Link: CVE-2026-40925

cve-icon Vulnrichment

Updated: 2026-04-21T20:35:01.034Z

cve-icon NVD

Status : Received

Published: 2026-04-21T21:16:45.903

Modified: 2026-04-21T21:16:45.903

Link: CVE-2026-40925

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T06:45:10Z

Weaknesses