WWBN AVideo Unauthenticated API Secret Exposure Vulnerability Allowing Unauthorized API Access

A vulnerability exists in WWBN AVideo versions through 29.0, where an unauthenticated user can access the APISecret from the public 'objects/plugins.json.php' file. This APISecret can then be used to authenticate calls to protected API endpoints, such as 'users_list', bypassing the need to log in. The issue arises because 'plugins.json.php' exposes sensitive plugin data, including the APISecret, which is accepted by 'plugin/API/get.json.php' for authentication.

Impact

The vulnerability allows for unauthorized access to protected API data by exploiting the exposed APISecret, leading to a disclosure of sensitive information.

Reproduction

To reproduce this vulnerability, send a request to 'objects/plugins.json.php' to retrieve the plugin configuration, which includes the APISecret. Once the APISecret is obtained, it can be used to make authenticated requests to 'plugin/API/get.json.php' by including the APISecret and specifying the desired API name, such as 'users_list'.

Remediation

The vulnerability has been addressed in a commit that requires admin authentication for accessing the full plugin inventory and configuration endpoint.