CVE-2026-43875

Name of the Vulnerable Software and Affected Versions AVideo versions prior to 29.0

Description An issue exists where the endpoint 'plugin/MobileManager/oauth2.php' completes an OAuth login by redirecting the user to 'oauth2Success.php' via an HTTP 302 response. This redirect includes the user's email and stored password hash in the URL query string. Because these URLs are often recorded in server logs, browser history, or leaked via the Referer header, an attacker can capture the hash.

Furthermore, the login endpoint 'objects/login.json.php' accepts a variable encodedPass set to 1, which allows the system to perform a direct string comparison between a supplied value and the stored hash, bypassing the standard hashing process. An attacker possessing the captured hash can use this flag to authenticate as the victim, potentially gaining full account takeover, including administrative access.

Recommendations Update to a version containing commit 977cd6930a97571a26da4239e25c8096dd4ecbc1. As a temporary mitigation, restrict access to the 'plugin/MobileManager/oauth2.php' endpoint or disable the MobileManager plugin until the update is applied.