WWBN AVideo Cross-Site Request Forgery Vulnerability in Player Skin Configuration

A cross-site request forgery (CSRF) vulnerability has been identified in WWBN AVideo versions through 26.0. The issue arises in the player skin configuration endpoint at admin/playerUpdate.json.php, which fails to validate CSRF tokens. This vulnerability is exacerbated by the 'SameSite=None' cookie setting, allowing cross-origin POST requests to alter the video player appearance across the platform. The 'plugins' table is also excluded from the ORM's domain-based security check, removing a critical layer of defense.

Impact

Exploitation of this vulnerability allows for unauthorized modification of the video player appearance on the platform, potentially disrupting playback with invalid skin values. The absence of ORM security for the 'plugins' table creates a broader risk of defacement or social engineering attacks.

Reproduction

To reproduce this vulnerability, an attacker can create a webpage that includes a form targeting the vulnerable AVideo instance's player skin configuration endpoint. The form should be set to automatically submit with a specified skin value. When an authenticated admin visits the page, the player skin will be changed without their knowledge.

Remediation

It is recommended to add CSRF token validation to the player skin configuration endpoint before processing POST data.