WWBN AVideo Default Password Vulnerability in Docker Deployment

A vulnerability exists in WWBN AVideo versions through 25.0, where the official Docker deployment files include a default admin password of 'password'. This default is used to create the admin account during installation. Instances deployed without changing the SYSTEM_ADMIN_PASSWORD are vulnerable to easy administrative takeover. The application lacks safeguards such as a mandatory password change upon first login, password complexity requirements, and detection of default passwords. Additionally, the password is hashed using the weak MD5 algorithm. Full admin access allows for exposure of user data, manipulation of content, and potential remote code execution through file uploads and plugin management. This insecure default also applies to database credentials, further increasing the risk.

Impact

Exploitation leads to full administrative control over the AVideo instance, allowing access to all user data, content management, and the possibility of remote code execution via uploaded files or plugins.

Reproduction

To reproduce this vulnerability, deploy AVideo using the official Docker deployment files without overriding the default SYSTEM_ADMIN_PASSWORD. After the installation, log in with the username 'admin' and the password 'password' to gain administrative access.

Remediation

Users should update to AVideo version 26.0 or later, and ensure that the SYSTEM_ADMIN_PASSWORD is set to a strong, unique password before deployment.