PT-2026-37297 · Avideo · Avideo
Offset
·
Published
2026-05-05
·
Updated
2026-05-12
·
CVE-2026-43881
CVSS v3.1
5.3
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
WWBN AVideo versions prior to 29.1
Description
An issue in the 'objects/users.json.php' endpoint allows unauthenticated remote attackers to disclose the full set of registered user accounts. This occurs through two distinct paths:
First, the
isCompany request parameter triggers a logic flaw that sets the $ignoreAdmin variable to true for non-admin callers. This bypasses the administrative guards within the getAllUsers() and getTotalUsers() functions, enabling the retrieval of the entire user table. Specifically, setting isCompany to 0 allows the extraction of all non-company users.Second, the endpoint accepts a
users id parameter and calls the getUserFromID() function without performing any permission checks. This creates a single-user oracle where an attacker can verify the existence of specific user IDs.Both paths leak sensitive information, including user IDs, display names (
identification), channel URLs, profile photos, backgrounds, account status, and the total number of registered accounts.Recommendations
For versions prior to 29.1, apply the following measures:
- Implement authentication at the start of 'objects/users.json.php' using
User::loginCheck()and restrict access to users with search permissions viacanSearchUsers(). - Remove the logic branch that sets
$ignoreAdmin = truebased on theisCompanyparameter. - Restrict the
users idpath to ensure only administrators or the users themselves can access specific record details. - Limit the
rowCountparameter to a maximum reasonable value to prevent bulk data harvesting. - Remove 'objects/users.json.php' from the CSRF-bypass list in 'objects/functionsSecurity.php'.
Exploit
Fix
Missing Authentication
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Avideo