Description
WWBN AVideo is an open source video platform. In 29.0 and earlier, there is a cross-site request forgery vulnerability on the 2FA toggle. plugin/LoginControl/set.json.php accepts POST type=set2FA value=false, calls LoginControl::setUser2FA(User::getId(), false) on the session-authenticated user, and returns. There is no forbidIfIsUntrustedRequest() call, no isTokenValid() check, no X-CSRF-Token/SameSite enforcement, and no re-authentication step. A cross-origin page that the victim visits while logged into the AVideo dashboard issues the POST via a hidden form (or fetch without credentials:"omit") and disables the victim's 2FA in one request.
Published: 2026-05-29
Score: 5.7 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a classic cross‑site request forgery flaw in the AVideo 2FA toggle endpoint. The endpoint accepts a POST request with set2FA set to false and executes the toggle without any CSRF token validation, SameSite cookie enforcement, or re‑authentication. As a result, an attacker can craft a malicious page that a logged‑in user visits, and without the user’s knowledge the attacker flips the victim’s two‑factor authentication off. This removes a layer of account security and could allow the attacker to subsequently take over that account. The weakness maps to CWE‑306 (Missing Authentication for Sensitive Function) and CWE‑352 (Cross‑Site Request Forgery).

Affected Systems

The flaw exists in the WWBN AVideo plugin for the LoginControl module on version 29.0 and earlier. Any installation of AVideo that has not applied the vendor‑released patch or upgraded to a version that includes CSRF protection for the set.json.php endpoint is affected.

Risk and Exploitability

With a CVSS score of 5.7 the risk is moderate, but because the attack vector is simple web traffic that occurs when a user is logged in, the exploit probability could be non‑negligible. No EPSS score is available and the vulnerability is not listed in CISA’s KEV catalog, yet attackers can leverage it by hosting any malicious page that triggers the hidden form or fetch request. The vulnerability is exploitable only when the user is authenticated to the AVideo admin interface and the victim’s browser accepts cross‑origin requests without SameSite protection.

Generated by OpenCVE AI on May 29, 2026 at 15:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade AVideo to the latest release or apply the vendor‑supplied security patch that adds CSRF token validation and SameSite enforcement to the 2FA toggle endpoint.
  • If an upgrade is not immediately possible, restrict administrative pages to a known IP range or require VPN access to limit exposure to malicious cross‑origin traffic.
  • Configure the session cookie with the SameSite=Lax or Strict attribute and enforce a referer check on sensitive POST endpoints as an interim protection measure.

Generated by OpenCVE AI on May 29, 2026 at 15:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-3mv2-vmwh-rwfx AVideo: 2FA toggle endpoint has no CSRF protection, letting an attacker page silently disable a logged-in victim's 2FA
History

Fri, 29 May 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Wwbn
Wwbn avideo
Vendors & Products Wwbn
Wwbn avideo

Fri, 29 May 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 29 May 2026 13:45:00 +0000

Type Values Removed Values Added
Description WWBN AVideo is an open source video platform. In 29.0 and earlier, there is a cross-site request forgery vulnerability on the 2FA toggle. plugin/LoginControl/set.json.php accepts POST type=set2FA value=false, calls LoginControl::setUser2FA(User::getId(), false) on the session-authenticated user, and returns. There is no forbidIfIsUntrustedRequest() call, no isTokenValid() check, no X-CSRF-Token/SameSite enforcement, and no re-authentication step. A cross-origin page that the victim visits while logged into the AVideo dashboard issues the POST via a hidden form (or fetch without credentials:"omit") and disables the victim's 2FA in one request.
Title WWBN AVideo plugin/LoginControl/set.json.php: 2FA toggle endpoint has no CSRF protection, letting an attacker page silently disable a logged-in victim's 2FA
Weaknesses CWE-306
CWE-352
References
Metrics cvssV3_1

{'score': 5.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N'}

Subscriptions

Wwbn Avideo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-29T14:00:05.865Z

Reserved: 2026-05-12T20:31:43.448Z

Link: CVE-2026-45610

cve-icon Vulnrichment

Updated: 2026-05-29T13:59:25.942Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-29T14:16:30.713

Modified: 2026-05-29T15:16:23.610

Link: CVE-2026-45610

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T15:30:04Z

Weaknesses