WWBN AVideo CORS Vulnerability in API Endpoints Allows Cross-Origin Credentialed Requests

A vulnerability exists in WWBN AVideo versions through 29.0, where the 'allowOrigin($allowAll=true)' function in 'objects/functions.php' improperly reflects arbitrary 'Origin' headers in the 'Access-Control-Allow-Origin' response, along with 'Access-Control-Allow-Credentials: true'. This issue affects the main API endpoints in 'plugin/API/get.json.php' and 'plugin/API/set.json.php', which handle user data, authentication, and livestream credentials. The vulnerability allows any website to make credentialed cross-origin requests, read authenticated API responses, and potentially steal user personal information, livestream keys, and perform actions on behalf of the user.

Impact

Exploitation of this vulnerability allows for the theft of user personal information, including email, full name, address, phone number, and livestream credentials. Additionally, it enables unauthorized actions to be performed on behalf of the user, such as managing videos or changing account settings.

Reproduction

To reproduce this vulnerability, host a webpage on a different domain than the target AVideo instance. This page should send a credentialed fetch request to the AVideo API endpoint 'plugin/API/get.json.php' with the 'Origin' header set to the attacker's domain. When the request is made, the server will respond with the 'Access-Control-Allow-Origin' header reflecting the attacker's origin and 'Access-Control-Allow-Credentials: true', allowing the attacker's script to access the response data. This data can then be exfiltrated to the attacker's server.

Remediation

The vulnerability has been fixed in a recent commit. To address this issue, update to the latest version of WWBN AVideo.