Description
WWBN AVideo is an open source video platform. In versions up to and including 29.0, objects/userSavePhoto.php is a legacy profile-photo endpoint that accepts a base64 POST parameter and writes the decoded bytes to videos/userPhoto/photo<users_id>.png. Its only access control is User::isLogged(). It does not end in .json.php, so it is excluded from the project's global autoCSRFGuard (which is suffix-scoped in objects/include_config.php). There is no CSRF token, no Origin/Referer check, and no MIME validation of the decoded bytes. Because AVideo's default cookie policy is SameSite=None; Secure on HTTPS (objects/functionsPHP.php:227), an attacker who lures a logged-in user to a malicious page can overwrite that user's profile photo with arbitrary bytes and also triggers a site-wide clearCache(true) on every forged request. Commit 9c38468041505e637101c5943c5370c68f48e3ac contains an updated fix.
Published: 2026-05-11
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A legacy endpoint in WWBN AVideo, objects/userSavePhoto.php, accepts a base64‑encoded POST payload and writes the decoded bytes directly to a user‑specific PNG file. Only a logged‑in check is performed; no CSRF token, no origin verification, and no MIME validation. Because the platform's default cookie policy is SameSite=None; Secure, an attacker can lure a logged‑in user to a malicious web page that issues an authenticated POST request, causing the service to overwrite the target's profile photo and trigger a global cache clear. The CVSS v3.1 score of 5.4 classifies the flaw as medium severity, allowing an attacker to alter user asset integrity and potentially disrupt service availability through repeated cache invalidations.

Affected Systems

Versions of WWBN AVideo up to and including 29.0 contain the vulnerable endpoint. The vendor provided a fix in commit 9c38468041505e637101c5943c5370c68f48e3ac, which is incorporated in releases 29.1 and later. The newer releases disable the public CSRF‑vulnerable path and strengthen the CSRF filter for the profile‑photo upload.

Risk and Exploitability

The likely attack vector is a cross‑origin HTTP POST from a malicious page that admins or users visit while their session cookie is transmitted due to the SameSite=None setting. No additional conditions are required beyond a regular authenticated session. The vulnerability is not listed in CISA KEV, and no EPSS score is available, so the exact exploitation probability cannot be quantified. Given the public availability of the forked software and the lack of needed prerequisites, the risk is considered moderate but manageable by applying the vendor‑issued fix.

Generated by OpenCVE AI on May 11, 2026 at 23:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to WWBN AVideo 29.1 or later, which includes the CSRF fix in the referenced commit
  • If an upgrade is not immediately possible, block or rename the legacy userSavePhoto.php endpoint (e.g., move the file or add a server‑side deny rule) to prevent unauthenticated or forged requests
  • Configure the web server to set the cookie SameSite=Lax or otherwise restrict cross‑site POST requests to mitigate the CSRF attack surface while a patch is applied

Generated by OpenCVE AI on May 11, 2026 at 23:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-jw8g-5j46-44rp AVideo: CSRF in userSavePhoto.php Allows Cross-Origin Overwrite of Authenticated Users' Profile Photos with Arbitrary Content
History

Mon, 11 May 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Wwbn
Wwbn avideo
Vendors & Products Wwbn
Wwbn avideo

Mon, 11 May 2026 21:30:00 +0000

Type Values Removed Values Added
Description WWBN AVideo is an open source video platform. In versions up to and including 29.0, objects/userSavePhoto.php is a legacy profile-photo endpoint that accepts a base64 POST parameter and writes the decoded bytes to videos/userPhoto/photo<users_id>.png. Its only access control is User::isLogged(). It does not end in .json.php, so it is excluded from the project's global autoCSRFGuard (which is suffix-scoped in objects/include_config.php). There is no CSRF token, no Origin/Referer check, and no MIME validation of the decoded bytes. Because AVideo's default cookie policy is SameSite=None; Secure on HTTPS (objects/functionsPHP.php:227), an attacker who lures a logged-in user to a malicious page can overwrite that user's profile photo with arbitrary bytes and also triggers a site-wide clearCache(true) on every forged request. Commit 9c38468041505e637101c5943c5370c68f48e3ac contains an updated fix.
Title WWBN AVideo: CSRF in userSavePhoto.php Allows Cross-Origin Overwrite of Any Logged-in User's Profile Photo with Arbitrary Bytes
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L'}

Subscriptions

Wwbn Avideo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-12T16:37:43.563Z

Reserved: 2026-05-04T15:17:09.329Z

Link: CVE-2026-43877

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-05-11T22:22:12.113

Modified: 2026-05-12T18:17:28.270

Link: CVE-2026-43877

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-11T23:30:02Z

Weaknesses