WWBN AVideo Authenticated Server-Side Request Forgery Vulnerability in aVideoEncoder.json.php

A server-side request forgery (SSRF) vulnerability has been identified in WWBN AVideo versions prior to 22.0. The issue arises in the aVideoEncoder.json.php API endpoint, which accepts a downloadURL parameter and fetches the specified resource without proper validation. This flaw allows authenticated users to send requests to arbitrary URLs, including internal network endpoints. Exploitation of this vulnerability could enable an authenticated attacker to access sensitive data from internal services, such as internal APIs or metadata services, potentially leading to further compromise depending on the deployment environment.

Impact

Exploitation of this vulnerability could allow an authenticated attacker to interact with internal services, access sensitive data, and potentially compromise the system further, depending on the deployment environment.

Reproduction

To reproduce this vulnerability, an authenticated user can send a request to the aVideoEncoder.json.php API endpoint with a downloadURL parameter that points to an arbitrary URL. If the URL is not properly validated, the server will fetch the resource, potentially allowing access to internal services or sensitive data.

Remediation

Users are advised to upgrade to AVideo version 22.0 or later, where this vulnerability has been fixed.