Danielnetodotcom

**Name of the Vulnerable Software and Affected Versions** AVideo versions up to and including 26.0 **Description** AVideo is an open source video platform. The `transferBalance()` method within the `plugin/YPTWallet/YPTWallet.php` file contains a Time-of-Check-Time-of-Use (TOCTOU) race condition. The method reads the sender's wallet balance, checks for sufficient funds using PHP, and then writes the new balance without utilizing database transactions or row-level locking. An attacker with multiple authenticated sessions can concurrently send transfer requests, each reading the same initial balance. These requests independently pass the balance check, leading to a scenario where the sender's balance is deducted only once, while the recipient receives funds multiple times. The vulnerable function is `transferBalance()`. **Recommendations** Versions up to and including 26.0 should be updated to a version containing commit 34132ad5159784bfc7ba0d7634bb5c79b769202d, which addresses the issue.

**Name of the Vulnerable Software and Affected Versions** AVideo versions prior to 8.0 **Description** AVideo is a video-sharing platform. Versions prior to 8.0 contain a Server-Side Request Forgery issue (CWE-918) in the public thumbnail endpoints ''getImage.php'' and ''getImageMP4.php''. These endpoints accept a `base64Url` GET parameter, decode it, and pass the resulting URL to ffmpeg as an input source without authentication. The initial validation only confirmed the URL was syntactically valid and began with http(s)://, which is insufficient. An attacker can provide URLs such as http://169.254.169.254/latest/meta-data/ (AWS/cloud instance metadata), http://192.168.x.x/, or http://127.0.0.1/ to make the server access internal network resources. The response is not directly returned, but timing differences and error logs can be used to infer results. **Recommendations** Versions prior to 8.0 should be updated to version 8.0.

**Name of the Vulnerable Software and Affected Versions** AVideo versions prior to 8.0 **Description** AVideo is a video-sharing platform. Versions prior to 8.0 contain a SQL Injection issue in the `getSqlFromPost()` method of Object.php. The `$ POST['sort']` array keys are used directly as SQL column identifiers within an ORDER BY clause. While `real escape string()` was applied, it only escapes string-context characters and does not protect SQL identifiers, rendering it ineffective. The issue stems from the direct use of unsanitized input in constructing a SQL query. The `sort` parameter within the `$ POST` request is particularly vulnerable. **Recommendations** Versions prior to 8.0 should be upgraded to version 8.0. As a workaround without upgrading, apply a WAF rule to block POST requests where any `sort[*]` key contains characters outside [A-Za-z0-9 ]. Alternatively, restrict access to the queue view (queue.json.php, index.php) to trusted IP ranges only.

**Name of the Vulnerable Software and Affected Versions** WWBN AVideo versions up to and including 26.0 **Description** The RTMP `on publish` callback at `plugin/Live/on publish.php` lacks authentication. The `$ POST['name']` parameter, representing the stream key, is directly incorporated into SQL queries within the `LiveTransmitionHistory::getLatest()` and `LiveTransmition::keyExists()` functions without proper sanitization or parameterized binding. This allows an unauthenticated attacker to perform time-based blind SQL injection, potentially extracting all database contents, including user password hashes, email addresses, and other sensitive data. The insufficient sanitization on line 117 of `plugin/Live/on publish.php` only strips '&' and '=' characters. The `sqlDAL::readSql()` function does not provide protection when called without format/values parameters, as it compiles the injected SQL directly. Exploitation can be achieved through crafted `curl` requests, leveraging the injection points to extract data character by character. An attacker could potentially authenticate as any user to the streaming system by using extracted password hashes. **Recommendations** Versions up to and including 26.0: Use parameterized queries in the `LiveTransmition::keyExists()` function at `plugin/Live/Objects/LiveTransmition.php:298-303`. Versions up to and including 26.0: Use parameterized queries in the `LiveTransmitionHistory::getLatest()` function at `plugin/Live/Objects/LiveTransmitionHistory.php:494-495`. Versions up to and including 26.0: Use parameterized queries in the `LiveTransmitionHistory::getLatestFromKey()` function at `plugin/Live/Objects/LiveTransmitionHistory.php:681-688`.

**Name of the Vulnerable Software and Affected Versions** AVideo versions 25.0 and below **Description** AVideo, an open source video platform, contains a reflected Cross-Site Scripting (XSS) issue. An unauthenticated attacker can execute arbitrary JavaScript in a victim's browser by manipulating a URL parameter. User input from a URL parameter is processed by PHP's `json encode()` function and then rendered within a JavaScript function using `innerHTML`, bypassing encoding and enabling full script execution. The root cause is the combination of unescaped user input passed to JavaScript and the use of `innerHTML` which renders HTML tags as executable DOM. The attack can potentially lead to session hijacking, account takeover, credential phishing through injected login forms, self-propagating payload distribution, and administrative account compromise. The vulnerability stems from the lack of proper input sanitization and insufficient cookie security, specifically the absence of the HttpOnly flag on the PHPSESSID cookie. The vulnerable code is located in `view/videoNotFound.php` and `view/js/script.js`. **Recommendations** Versions prior to 26.0 should be updated. As a fix, escape HTML in PHP using `JSON HEX TAG | JSON HEX AMP` with `json encode()`. Alternatively, use `textContent` instead of `innerHTML` in the JavaScript code.

Name of the Vulnerable Software and Affected Versions: AVideo Platform versions prior to 10.2 Description: The issue allows an ordinary user to bypass authorization and gain admin control. This is resolved by removing the pass hash and the recoverPass hash from all queries. Recommendations: For versions prior to 10.2, update to version 10.2 to resolve the issue. As a temporary workaround, consider restricting access to admin controls until the update can be applied.