GHSA-wprj-9cvc-5w37: Unauthenticated Access to Sensitive Data via Missing Authorization in AVideo

WWBN AVideo, an open-source broadcast network platform, implements an extensible plugin architecture to handle various auxiliary features such as payments, live streaming, and AI transcription. The vulnerability exists within the administrative backend components of these plugins, specifically affecting versions up to and including 26.0.

The platform exhibits a systematic missing authorization flaw (CWE-862) across at least 19 distinct plugin endpoints. These endpoints handle data presentation for administrative tables and directly execute database queries to populate data views. The application exposes these administrative interfaces to the public internet by default.

Because the core bootstrapping configuration does not enforce global authentication middleware for API or JSON endpoints, the application relies on component-level authorization checks. The developers omitted these checks in the list.json.php files, creating a direct, unauthenticated data exposure vector.

The root cause of this vulnerability is the absence of access control validations at the entry point of the data listing controllers. AVideo uses a standard CRUD paradigm where database tables are managed by specific files for adding, deleting, and listing records.

While the files responsible for modifying state typically implement administrative authorization checks, the scripts designated for rendering data tables do not. When a client requests these endpoints, the PHP script initializes the environment via configuration.php but immediately proceeds to execute data retrieval logic without verifying the user session.

The vulnerable endpoints invoke static methods on classes extending the ObjectYPT core class, predominantly the getAll() method. This method acts as an Object-Relational Mapping (ORM) wrapper that executes an unrestricted SELECT * query against the corresponding plugin's database table, serializes the result set into JSON, and returns it to the client.

An analysis of the vulnerable source code reveals a consistent structural flaw across multiple plugins. The application logic directly exposes database contents to any HTTP GET or POST request targeting the endpoint.

In the unpatched state, the list.json.php file within the PayPalYPT plugin imports the necessary class definitions and immediately fetches all records. The application serializes the array returned by the static method and echoes it to the output buffer without validating the request context.

<?php
require_once $global['systemRootPath'] . 'plugin/PayPalYPT/Objects/PayPalYPT_log.php';
header('Content-Type: application/json');
 
$rows = PayPalYPT_log::getAll();
$total = PayPalYPT_log::getTotal();
echo json_encode(['data' => $rows]);
?>

The vendor remediated this vulnerability in commit 1729a955f8de7e26552eb728b3d1e6f4b1b9352e by implementing an explicit authorization gate. The patch introduces a conditional check utilizing the User::isAdmin() method before any data access operations occur, terminating the script execution if the check fails.

<?php
require_once $global['systemRootPath'] . 'plugin/PayPalYPT/Objects/PayPalYPT_log.php';
header('Content-Type: application/json');
 
+ if (!User::isAdmin()) {
+     die(json_encode(['error' => true, 'msg' => "You can't do this"]));
+ }
 
$rows = PayPalYPT_log::getAll();
$total = PayPalYPT_log::getTotal();
echo json_encode(['data' => $rows]);
?>

Exploitation of this vulnerability requires no specialized tools, prior authentication, or specific network positioning beyond reachability to the target AVideo web interface. The attacker only needs to identify a running instance of AVideo version 26.0 or earlier.

The attacker issues a standard HTTP GET request directly to one of the unprotected list.json.php endpoints. Navigating to /plugin/PayPalYPT/View/PayPalYPT_log/list.json.php initiates the vulnerable code path and triggers the database query.

The server processes the request and responds with an HTTP 200 OK status, returning a JSON payload containing the complete contents of the targeted database table. The attacker can automate this process using simple scripts to enumerate and extract all exposed tables across the 19 vulnerable plugins.

The security impact of this vulnerability is high due to the volume and sensitivity of the exposed information. Attackers gain unauthorized read access to critical financial and operational data that administrators assume is protected behind authentication barriers.

The exposure of the PayPalYPT_log and Btc_payments tables compromises payment gateway configurations, transaction histories, and active PayPal tokens. Attackers can leverage these tokens to manipulate financial transactions or access connected financial accounts associated with the platform deployment.

In addition to financial data, the vulnerability exposes user privacy records and internal system intelligence. Endpoints such as Users_extra_info and Live_servers reveal personally identifiable information and infrastructure configurations, enabling further targeted attacks against the user base or the underlying server environment.

The WWBN AVideo maintainers addressed this vulnerability in development via commit 1729a955f8de7e26552eb728b3d1e6f4b1b9352e. System administrators must upgrade their AVideo installations to the patched release succeeding version 26.0 immediately to secure their environments.

If an immediate upgrade is unfeasible, administrators can manually apply the patch by editing the affected list.json.php files across the plugin/ directory. The remediation requires inserting the User::isAdmin() check at the top of each file, directly following the inclusion of the core configuration files.

Security teams should conduct a thorough audit of the AVideo filesystem to identify any custom or third-party plugins that implement similar endpoints. Any file exposing an unrestricted data retrieval method call must be retrofitted with identical access control validations to prevent variant attacks.