CVE-2026-45610

Name of the Vulnerable Software and Affected Versions AVideo versions 29.0 and earlier

Description A cross-site request forgery (CSRF) issue exists in the 2FA toggle functionality. The endpoint "plugin/LoginControl/set.json.php" accepts POST requests with the parameters type=set2FA and value=false to disable two-factor authentication for a session-authenticated user via the LoginControl::setUser2FA() function. The endpoint fails to implement necessary security checks, such as the forbidIfIsUntrustedRequest() call, isTokenValid() verification, X-CSRF-Token/SameSite enforcement, or a re-authentication step. Consequently, an attacker can host a malicious cross-origin page that, when visited by a logged-in user, automatically issues a POST request to disable the victim's 2FA, making the account susceptible to credential stuffing or phishing attacks.

Recommendations Update to a version where the "plugin/LoginControl/set.json.php" endpoint implements the forbidIfIsUntrustedRequest() gate and requires re-authentication (such as a 2FA code or password prompt) when disabling 2FA. As a temporary workaround, restrict access to the "plugin/LoginControl/set.json.php" endpoint or disable the LoginControl plugin until a patch is applied.