Description
WWBN AVideo is an open source video platform. In versions up to and including 29.0, plugin/CloneSite/cloneClient.json.php echoes the local CloneSite shared secret ($objClone->myKey, a constant md5($global['systemRootPath'] . $global['salt'])) into the HTTP response body on every unauthenticated request. The unauthenticated error branch was intended to reject non-admin callers without a valid key, but the rejection message interpolates the expected key before die(). When the victim has CloneSite configured with a remote cloneSiteURL (standard federation/backup setup), the leaked myKey is exactly the credential that authenticates the victim to that remote server's cloneServer.json.php, allowing the attacker to impersonate the victim and trigger a full mysqldump of the remote's database to the remote's public videos/clones/ directory Commit e6566f56a28f4556b2a0a09d03717a719dcb49da contains an updated fix.
Published: 2026-05-11
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the CloneSite plugin of WWBN AVideo. Versions up to and including 29.0 contain a code path that, when an unauthenticated request is made to cloneClient.json.php, echoes the local CloneSite shared secret ($objClone->myKey). This secret is a constant md5 hash of the system root path and salt, and acts as the credential for the remote clone server. By exposing this value the application violates confidentiality, as attackers can obtain the authentication key and impersonate the legitimate user on the remote cloneSiteURL. Once authenticated, the attacker can invoke cloneServer.json.php on the remote server to trigger a full mysqldump, whose output is written to the remote public videos/clones/ directory. The result is a complete database dump that can be accessed publicly, exposing all user data, configuration, and potentially credentials.

Affected Systems

The affected vendor is WWBN; the product is AVideo, specifically the CloneSite plugin interface. All released versions through 29.0 are impacted. Systems that have CloneSite configured with a remote cloneSiteURL for federation or backup are at risk, as the leaked key can be used to authenticate to the remote site.

Risk and Exploitability

The vulnerability carries a CVSS score of 7.5, indicating a high severity. The EPSS score is not available, and the issue is not listed in the CISA KEV catalog. Exploitation requires only the ability to send an unauthenticated request to the vulnerable endpoint, making it relatively easy for an attacker with network access to the vulnerable instance. Once the secret is disclosed, the attacker can remotely dump the database on the configured clone server. No additional privileges or complex conditions are required beyond reaching the affected URL.

Generated by OpenCVE AI on May 11, 2026 at 23:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update AVideo to a version newer than 29.0 or apply the fix from commit e6566f56a28f4556b2a0a09d03717a719dcb49da which removes the secret echo from the error path.
  • If the CloneSite plugin is not required, disable or uninstall it to eliminate the attack surface.
  • Restrict unauthenticated access to the cloneClient.json.php endpoint using web server rules or firewall rules, ensuring that only authenticated administrators can reach the endpoint.

Generated by OpenCVE AI on May 11, 2026 at 23:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-qm9p-p5pw-jrx2 AVideo: Unauthenticated Disclosure of CloneSite `myKey` via Error Echo in `cloneClient.json.php` Enables Cross-Site DB Dump of the Configured Clone Server
History

Mon, 11 May 2026 23:30:00 +0000

Type Values Removed Values Added
First Time appeared Wwbn
Wwbn avideo
Vendors & Products Wwbn
Wwbn avideo

Mon, 11 May 2026 21:30:00 +0000

Type Values Removed Values Added
Description WWBN AVideo is an open source video platform. In versions up to and including 29.0, plugin/CloneSite/cloneClient.json.php echoes the local CloneSite shared secret ($objClone->myKey, a constant md5($global['systemRootPath'] . $global['salt'])) into the HTTP response body on every unauthenticated request. The unauthenticated error branch was intended to reject non-admin callers without a valid key, but the rejection message interpolates the expected key before die(). When the victim has CloneSite configured with a remote cloneSiteURL (standard federation/backup setup), the leaked myKey is exactly the credential that authenticates the victim to that remote server's cloneServer.json.php, allowing the attacker to impersonate the victim and trigger a full mysqldump of the remote's database to the remote's public videos/clones/ directory Commit e6566f56a28f4556b2a0a09d03717a719dcb49da contains an updated fix.
Title WWBN AVideo: Unauthenticated Disclosure of CloneSite `myKey` via Error Echo in `cloneClient.json.php` Enables Cross-Site DB Dump of the Configured Clone Server
Weaknesses CWE-209
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Wwbn Avideo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-11T20:31:06.454Z

Reserved: 2026-05-04T15:17:09.329Z

Link: CVE-2026-43873

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-11T22:22:11.703

Modified: 2026-05-11T22:22:11.703

Link: CVE-2026-43873

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-11T23:15:08Z

Weaknesses