WWBN AVideo Privilege Escalation Vulnerability via GET-Based CSRF in Permissions Management Endpoint

A vulnerability in WWBN AVideo versions through 26.0 allows for privilege escalation through cross-site request forgery (CSRF) via the 'plugin/Permissions/setPermission.json.php' endpoint. This endpoint accepts GET parameters to modify user group permissions but lacks CSRF token validation. Additionally, the application sets session cookies to 'SameSite=None', enabling an unauthenticated attacker to create a page that, when visited by an admin, silently alters permissions for the attacker's user group, effectively granting near-admin access. As of the publication date, no patched versions are available.

Impact

Exploitation of this vulnerability allows a low-privileged user to gain near-admin rights by manipulating an admin into loading a crafted page. The attack requires no JavaScript, bypasses Content Security Policy restrictions, and can be executed in environments where scripts are disabled, such as certain email clients or forum platforms. Once the page is loaded, the attacker's user group is granted elevated permissions, which are then available to all users in that group.

Reproduction

To reproduce this vulnerability, an attacker must host a page containing 'img' tags that point to the vulnerable endpoint with the appropriate GET parameters to modify permissions. When an admin visits the page, the 'img' tags will automatically send GET requests to the endpoint using the admin's session cookie, bypassing any CSRF protections. The endpoint will then grant the specified permissions to the attacker's user group.

Remediation

To address this vulnerability, the 'plugin/Permissions/setPermission.json.php' file should be modified to accept POST requests instead of GET requests and to include CSRF token validation. The AJAX call in 'getPermissionsFromPlugin.html.php' should also be updated to send the 'globalToken' parameter with the data payload.