WWBN AVideo Privilege Escalation Vulnerability in Video Management for Moderators

A privilege escalation vulnerability has been identified in WWBN AVideo versions through 26.0. A user with 'Videos Moderator' permissions can gain unauthorized access to full video management capabilities, including transferring ownership and deleting any video. This exploitation arises because the permission check for moderating videos is improperly applied, allowing moderators to bypass intended restrictions. The vulnerability creates an asymmetric authorization flaw that can be exploited by first transferring video ownership and then deleting the video.

Impact

Exploitation of this vulnerability allows for arbitrary deletion of videos, including those owned by administrators. It also enables unauthorized changes to video content, such as altering payment flags, removing password protections, and modifying categories and user group visibility. Additionally, the vulnerability disrupts the integrity of video ownership records, creating unreliable audit trails.

Reproduction

To reproduce this vulnerability, an account with 'Videos Moderator' permissions is required. First, identify a video owned by another user. Then, use the 'videoAddNew.json.php' endpoint to transfer ownership of the target video to the moderator account. After the ownership transfer is confirmed, the video can be deleted using the 'videoDelete.json.php' endpoint, taking advantage of the ownership check that now recognizes the moderator as the owner.

Remediation

Users are advised to update to version 27.0 or later, where this vulnerability has been addressed. In the patched version, the authorization checks have been corrected to ensure that 'Videos Moderator' permissions do not grant full editing rights or ownership transfer capabilities.