CVE-2026-40925

Name of the Vulnerable Software and Affected Versions AVideo versions prior to 29.1

Description AVideo allows an attacker to perform a Cross-Site Request Forgery (CSRF) attack. The endpoint "/updateConfig" (also routed via objects/configurationUpdate.json.php) persists global site settings from $ POST but lacks sufficient protection, as it does not verify a globalToken, validate Origin/Referer headers, or call the forbidIfIsUntrustedRequest() function. Because the software sets session.cookie samesite=None to support cross-origin iframe embedding, a logged-in administrator visiting a malicious page can be forced to submit a cross-origin POST request. This allows an attacker to rewrite the site's encoder URL, SMTP credentials, logo, favicon, contact email, and site <head> HTML.

Recommendations Update to a version later than 29.0 to apply the fix provided in commit f9492f5e6123dff0292d5bb3164fde7665dc36b4.