WWBN AVideo Unauthenticated Access to Scheduler Plugin Endpoints Vulnerability

A vulnerability exists in the WWBN AVideo Scheduler plugin, in versions through 26.0, where three `list.json.php` endpoints lack authentication checks. This omission allows an unauthenticated attacker to access sensitive information such as scheduled tasks, internal callback URLs, admin email content, and user-email targeting mappings. The vulnerability arises because these endpoints do not require admin privileges, unlike other endpoints in the same plugin that do. Exploitation can be done by sending simple GET requests to the vulnerable endpoints.

Impact

Exploitation of this vulnerability allows for unauthorized access to scheduled tasks, internal callback URLs and parameters, admin-composed email messages, and user-to-email targeting mappings. This information could be used for further attacks, such as exploiting internal URLs or targeting specific user accounts.

Reproduction

To reproduce this vulnerability, send a GET request to one of the three vulnerable `list.json.php` endpoints in the Scheduler plugin. No authentication is required, and the response will include the full contents of the `Scheduler_commands`, `Emails_messages`, or `Email_to_user` tables, depending on which endpoint is accessed.

Remediation

Users are advised to update to version 26.0 or later, where this vulnerability has been patched. Instructions for updating can be found in the AVideo documentation.