Dotcom

**Name of the Vulnerable Software and Affected Versions** AVideo versions up to and including 26.0 **Description** AVideo’s ` session start()` function is susceptible to accepting arbitrary session IDs through the `PHPSESSID` GET parameter, setting them as the active PHP session. A session regeneration bypass exists for specific blacklisted endpoints when the request originates from the same domain. This, combined with the disabled session regeneration in `User::login()`, allows for a session fixation attack where an attacker can fix a victim's session ID before authentication and subsequently hijack the authenticated session. The `requestComesFromSafePlace()` function only verifies the `HTTP REFERER` matches the AVideo domain, which is easily satisfied by links within the platform. The session ID is exposed to same-origin JavaScript via `objects/phpsessionid.json.php` and stored in a global JavaScript variable in `view/js/session.js`. There is no session-to-IP or session-to-user-agent binding. An attacker can inject a link containing a pre-defined session ID, and when a victim clicks it while logged in, the attacker can hijack the session. This could lead to full account takeover, data access, privilege escalation, and lateral actions. **Recommendations** AVideo versions up to and including 26.0: Re-enable session regeneration on login by uncommenting ` session regenerate id();` in `objects/user.php` at line 1317. AVideo versions up to and including 26.0: Remove GET-based session ID acceptance in `objects/functionsPHP.php` lines 344-383. AVideo versions up to and including 26.0: Remove session ID exposure from `objects/phpsessionid.json.php` and `view/js/session.js`.