CVE-2026-33501

Name of the Vulnerable Software and Affected Versions AVideo versions up to and including 26.0

Description The plugin/Permissions/View/Users groups permissions/list.json.php endpoint in AVideo lacks authentication or authorization checks, allowing unauthenticated users to retrieve the complete permission matrix mapping user groups to plugins. Sibling endpoints in the same directory properly require User::isAdmin(), indicating this is an oversight. The endpoint returns all rows from the users groups permissions table as JSON, revealing user group IDs, installed plugin IDs, permission types, and active/inactive status. The getSqlFromPost() method processes $ POST['sort'] and $ GET parameters, allowing an attacker to paginate and sort results to extract all data systematically. An unauthenticated attacker can enumerate the complete authorization model of the AVideo instance, potentially aiding in privilege escalation.

Recommendations Add the same admin authorization check used by the sibling endpoints. In plugin/Permissions/View/Users groups permissions/list.json.php, include the following code:

$plugin = AVideoPlugin::loadPluginIfEnabled('Permissions');
if(!User::isAdmin()){
  die(json encode(['error' => true, 'msg' => 'You cant do this']));
}