Impact
An attacker can trick the Meet plugin into authenticating as any user by uploading a file whose name contains an arbitrary user identifier. The uploaded filename is used to call User->login() without verifying that the requester is authorized to act as that user. This bypass allows the attacker to obtain a fully authenticated session, essentially hijacking the account and gaining all privileges it entails.
Affected Systems
AVideo installations up to and including version 29.0 are vulnerable. The exploit targets the uploadRecordedVideo.json.php endpoint in the Meet plugin, which is present in all releases of AVideo through 29.0.
Risk and Exploitability
The CVSS score of 9.2 identifies this as a critical flaw. Although the EPSS score is not available, the vulnerability is not listed in CISA's KEV catalogue. Successful exploitation requires knowledge of the Meet shared secret, which an attacker can obtain via existing path‑traversal or timing attacks against the checkToken.json.php endpoint. Once the secret is known, the attacker can craft a malicious POST request with a filename such as "1‑anything.mp4" to hijack an admin session and perform a full account takeover.
OpenCVE Enrichment