WWBN AVideo Unauthenticated Decryption Vulnerability in API Plugin

A vulnerability exists in the WWBN AVideo platform, specifically in versions through 26.0, within the API plugin. The issue arises because the `decryptString` action is exposed without authentication, allowing anyone to submit ciphertext and receive plaintext in return. This vulnerability can be exploited to recover protected tokens and metadata, as the ciphertext is publicly accessible through certain API endpoints. The vulnerability has been patched in a subsequent commit.

Impact

Exploitation of this vulnerability allows for the decryption of any encrypted payload produced by the AVideo platform, leaking confidential tokens and links that could be reused or tampered with, where secrecy was assumed.

Reproduction

To reproduce this vulnerability, first obtain ciphertext by sending a GET request to `view/url2Embed.json.php` with a URL parameter. The response will include a `playLink` ciphertext. Then, send a POST request to `plugin/API/get.json.php` with the `APIName` parameter set to `decryptString` and include the ciphertext in the `string` parameter. The response will contain the decrypted plaintext JSON, including the video link, title, user ID, and other metadata.

Remediation

The vulnerability has been patched by requiring a valid API secret or admin access for the `decryptString` API endpoint. Users should rotate encryption keys or salts after applying the patch to invalidate any exposed ciphertexts.