Primary

Context

AVideo Platform Cross-Site Request Forgery Vulnerability in Password Reset Mechanism

Vulnerability

A cross-site request forgery (CSRF) vulnerability has been identified in AVideo Platform version 8.1. This vulnerability allows attackers to reset user passwords by exploiting the password recovery feature. By crafting malicious requests to the 'recoverPass' endpoint and using the user's recovery token, attackers can change account credentials without any authentication.

Impact

Exploitation of this vulnerability allows for unauthorized password resets, potentially leading to account takeovers.

Reproduction

To reproduce this vulnerability, send a request to the 'recoverPass' endpoint with a user's recovery token. This can be done by first retrieving the token from the user's account details, and then using it to craft a request that resets the user's password.

Added: Feb 11, 2026, 9:54 PM

Updated: Feb 11, 2026, 9:54 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

3.1

exploitability

7.1

remediation

0.0

relevance

2.7

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

3.1

exploitability

7.1

remediation

0.0

relevance

2.7

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

AVideo Platform Cross-Site Request Forgery Vulnerability in Password Reset Mechanism

Vulnerability

Impact

Reproduction

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating