WWBN AVideo Server-Side Request Forgery Vulnerability in LiveLinks Plugin

A server-side request forgery (SSRF) vulnerability has been identified in the WWBN AVideo platform, specifically in versions through 25.0. The issue resides in the plugin/LiveLinks/proxy.php endpoint, which improperly validates user-supplied URLs against internal networks. While the initial URL is checked for safety, any HTTP redirects are followed without re-validation, allowing attackers to access internal services and metadata through controlled redirects. This vulnerability is present in an unauthenticated endpoint that directly interacts with the user-supplied URLs.

Impact

Exploitation of this vulnerability allows attackers to access internal services and cloud metadata, including sensitive information such as IAM credentials on AWS, through an attacker-controlled redirect. The vulnerability could also be used to probe internal networks and services, potentially leading to further exploitation.

Reproduction

To reproduce this vulnerability, send a request to the AVideo instance's LiveLinks proxy endpoint with a URL that redirects to an internal service, such as cloud metadata. The request will bypass SSRF protections and return the internal data, including cloud IAM credentials if the redirect targets a metadata service.

Remediation

Users are advised to update to AVideo version 26.0 or later, where this vulnerability has been fixed.