WWBN AVideo Unauthenticated Information Disclosure Vulnerability in Permissions Plugin

A vulnerability exists in WWBN AVideo versions through 26.0, specifically in the Permissions plugin. The issue arises in the endpoint 'plugin/Permissions/View/Users_groups_permissions/list.json.php', which lacks authentication and authorization checks. This oversight allows unauthenticated users to access the complete permission matrix that maps user groups to plugins. In contrast, sibling endpoints in the same directory properly enforce admin checks, highlighting this as an unintentional error. Exploitation of this vulnerability enables enumeration of the application's authorization model, detailing which user groups have access to specific plugins and the associated permission levels.

Impact

Exploitation of this vulnerability allows an unauthenticated attacker to access sensitive permission data, including all user group IDs, installed plugin IDs, and their corresponding permission configurations. This information could facilitate targeted privilege escalation attacks.

Reproduction

The vulnerability can be reproduced by sending a request to the 'plugin/Permissions/View/Users_groups_permissions/list.json.php' endpoint without authentication. The response will include the complete permission mappings, demonstrating the lack of access control.

Remediation

To address this vulnerability, add an admin authorization check to the affected endpoint, similar to the checks implemented in the sibling endpoints.