CVE-2026-34394

Name of the Vulnerable Software and Affected Versions AVideo versions 26.0 and prior

Description AVideo’s admin plugin configuration endpoint (admin/save.json.php) is susceptible to cross-site request forgery (CSRF) attacks due to the absence of CSRF token validation. The application's configuration explicitly sets the session.cookie samesite attribute to 'None', weakening default browser protections and allowing cookies to be attached to cross-origin requests. This, combined with the lack of validation, enables an attacker to forge cross-origin POST requests from a malicious page to modify arbitrary plugin settings on a victim administrator's session. The plugins table is excluded from standard table-level access controls, further allowing a complete takeover of platform functionality by reconfiguring payment processors, authentication providers, and cloud storage credentials. An attacker can silently reconfigure any plugin on the AVideo platform by tricking an administrator into visiting a malicious page. Exploitable configurations include payment hijacking, credential theft, authentication bypass, and backdoor installation. The isGlobalTokenValid() and verifyToken() functions are not called before processing requests. The vulnerable parameters are accessed via $ POST requests to the admin/save.json.php endpoint.

Recommendations Add CSRF token validation at admin/save.json.php:10, immediately after the admin check:

if (!isGlobalTokenValid()) {
  die('{"error":"Invalid CSRF token"}');
}