WWBN AVideo Unauthenticated Email Injection Vulnerability in sendEmail.json.php Allows Phishing

A vulnerability in WWBN AVideo versions through 29.0 allows unauthenticated users to send emails from the site's legitimate contact address to any recipient. This is achieved by exploiting the objects/sendEmail.json.php endpoint, which is publicly accessible and requires no authentication or CSRF token. When the contactForm parameter is omitted, the endpoint uses the site's contact email as the reply-to address, enabling phishing attacks that bypass email authentication checks. The vulnerability takes advantage of the site's SMTP infrastructure, allowing attacker-controlled messages to be sent while appearing to come from a trusted source.

Impact

Exploitation of this vulnerability could lead to successful phishing attempts, as emails would be sent from the site's legitimate contact address, bypassing common email authentication measures and increasing the likelihood of the messages being trusted by recipients.

Reproduction

To reproduce this vulnerability, send a POST request to the objects/sendEmail.json.php endpoint without including the contactForm parameter. After solving the captcha, the site's SMTP will send an email to the specified recipient, using the site's contact email as the sender, which can be exploited for phishing purposes.

Remediation

The vulnerability has been patched in commit 4e37098. Users should update to the latest version of AVideo to address this issue.