Ahmad-Jarwan

**Name of the Vulnerable Software and Affected Versions** AVideo versions up to and including 26.0 **Description** AVideo, an open source video platform, contains an unauthenticated server-side request forgery (SSRF) vulnerability in the `plugin/Live/test.php` file. This allows a remote user to make the AVideo server send HTTP requests to arbitrary URLs. The vulnerability stems from insufficient input validation of the `statsURL` parameter, which only checks for the presence of 'http' at the beginning of the URL. The `url get contents()` function then uses `file get contents()` to make the outbound request, potentially exposing internal services and cloud metadata endpoints if reachable. The endpoint accepts the `$ REQUEST['statsURL']` variable. The vulnerability allows probing of localhost and internal services, distinguishing open and closed ports, and potentially retrieving reflected content from internal HTTP services. The `test.php` file also contains a `wget` fallback that introduces shell exposure. **Recommendations** Versions prior to and including 26.0: Remove `plugin/Live/test.php` from production deployments. Versions prior to and including 26.0: If the file must remain, require admin authentication. Versions prior to and including 26.0: Only allow requests to explicitly configured Live stats URLs. Versions prior to and including 26.0: Block localhost, RFC1918, link-local, and metadata IP ranges. Versions prior to and including 26.0: Stop reflecting fetched bodies and raw upstream errors to the client. Versions prior to and including 26.0: Remove the `wget` fallback entirely (lines 94–119 of `test.php`). Versions prior to and including 26.0: If `wget` must remain, escape the argument using `escapeshellarg()`. Versions prior to and including 26.0: Move the file behind the admin panel URL prefix with appropriate access control rules. Versions prior to and including 26.0: Add an `isSSRFSafeURL()` check before any fetch operation. Versions prior to and including 26.0: Block outbound connections from the web process to RFC1918 addresses at the firewall/egress level.

**Name of the Vulnerable Software and Affected Versions** AVideo versions prior to 26.1 **Description** AVideo is an open source video platform. Versions up to and including 26.0 have an API plugin that exposes a `decryptString` action without authentication. This allows anyone to submit ciphertext and receive plaintext. The ciphertext is publicly available, for example, through the `/view/url2Embed.json.php` endpoint, enabling unauthorized recovery of protected tokens and metadata. **Recommendations** Update to version 26.1 or later.

**Name of the Vulnerable Software and Affected Versions** AVideo versions prior to 26.1 **Description** AVideo, an open source video platform, has an unauthenticated local file inclusion issue in the API locale endpoint. The `APIName=locale` endpoint concatenates user input into an `include` path without proper validation or sanitization, allowing path traversal. This enables an attacker to include arbitrary PHP files under the web root, potentially leading to file disclosure and code execution. The vulnerable code resides in `plugin/API/API.php`, specifically within the `get api locale()` method (lines ~5009–5023). The vulnerability is triggered by manipulating the `language` parameter in a GET request to the `/plugin/API/get.json.php` endpoint. Successful exploitation can lead to confidential data leakage and potential remote code execution if an attacker can place or control a PHP file within the web server's file system. **Recommendations** Versions prior to 26.1 should be updated when a patched version is available. As a temporary workaround, consider rejecting path separators and dots in the `language` parameter and enforcing a strict allowlist of locale slugs. Implement `realpath` to ensure the target file remains within the expected directory. Stop using `include` for translations and load data from vetted formats like JSON or arrays. Add authentication (API secret or token) to the endpoint as a secondary control.

**Name of the Vulnerable Software and Affected Versions** File Browser versions 2.61.0 and below **Description** File Browser is a file managing interface that allows users to upload, delete, preview, rename, and edit files. A permission enforcement issue exists where users with share privileges (`perm.share = true`) but without download privileges (`perm.download = false`) can bypass download restrictions and exfiltrate file content. This is achieved by creating public share links and then retrieving the files via the public download handler ('/api/public/dl/<hash>'). The direct raw download endpoint ('/api/raw/') correctly enforces download permissions, but the share creation endpoint only checks share permissions. The public download handler serves file content without verifying the original file owner's download permission. This bypass undermines data-loss prevention and role-separation policies, allowing restricted users to publicly distribute files they are explicitly blocked from downloading directly. The backend applies inconsistent authorization checks across download paths, specifically in `raw.go`, `share.go`, and `public.go`. A proof-of-concept demonstrates that a user without download permissions can upload a file, create a share, and then download the file publicly using the generated hash. **Recommendations** Versions prior to 2.62.0 are affected. Update to version 2.62.0 or later to resolve this issue.