CVE-2026-43873

Name of the Vulnerable Software and Affected Versions WWBN AVideo versions prior to 29.0

Description An issue exists where the endpoint 'plugin/CloneSite/cloneClient.json.php' echoes the local CloneSite shared secret, stored in the variable myKey (a constant generated via md5($global['systemRootPath'] . $global['salt'])), into the HTTP response body during unauthenticated requests. This occurs because the error branch intended to reject non-admin callers interpolates the expected key into the rejection message before terminating the process.

If the installation is configured with a remote cloneSiteURL for federation or backup, the leaked myKey serves as the credential to authenticate the victim to the remote server's 'cloneServer.json.php' endpoint. An attacker can use this key to impersonate the victim and trigger a full mysqldump (a utility used to create database backups) of the remote server's database. The resulting dump is saved to the remote server's public 'videos/clones/' directory, allowing the attacker to download sensitive data, including user password hashes and API secrets, via an unauthenticated request.

Recommendations Update to a version that includes the fix provided in commit e6566f56a28f4556b2a0a09d03717a719dcb49da. As a temporary mitigation, restrict HTTP access to the 'plugin/CloneSite/cloneClient.json.php' file to authorized administrators only. Restrict direct HTTP access to the 'videos/clones/' directory using server configuration rules (e.g., .htaccess or Nginx) to prevent the download of database dumps.