Publish GHSA-4q27-4rrq-fx95

Author: advisory-database[bot]

advisories/github-reviewed/2026/04/GHSA-4q27-4rrq-fx95/GHSA-4q27-4rrq-fx95.json

@@ -0,0 +1,57 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-4q27-4rrq-fx95",
+  "modified": "2026-04-03T23:43:23Z",
+  "published": "2026-04-03T23:43:23Z",
+  "aliases": [
+    "CVE-2026-35181"
+  ],
+  "summary": "AVideo: CSRF on Player Skin Configuration via admin/playerUpdate.json.php",
+  "details": "**Severity:** Medium\n**CWE:** CWE-352 (Cross-Site Request Forgery)\n\n## Summary\n\nThe player skin configuration endpoint at `admin/playerUpdate.json.php` does not validate CSRF tokens. The `plugins` table is explicitly excluded from the ORM's domain-based security check via `ignoreTableSecurityCheck()`, removing the only other layer of defense. Combined with `SameSite=None` cookies, a cross-origin POST can modify the video player appearance on the entire platform.\n\n## Details\n\nIn `admin/playerUpdate.json.php` at line 17, the player skin is set directly from POST data:\n\n```php\n$pluginDO->skin = $_POST['skin'];\n```\n\nNo CSRF token is validated anywhere in the endpoint. Normally, the ORM layer performs a Referer/Origin domain check as a secondary defense against cross-origin writes. However, the `plugins` table is registered in `ignoreTableSecurityCheck()`, which explicitly bypasses this ORM-level protection for plugin configuration.\n\nAVideo's session cookies are configured with `SameSite=None`, meaning the admin's authenticated session cookie is automatically included in cross-origin POST requests from any website.\n\nAn attacker can craft a page that, when visited by an authenticated admin, silently changes the player skin to any value, including potentially invalid or disruptive configurations.\n\n## Proof of Concept\n\nHost the following HTML on an attacker-controlled domain:\n\n```html\n<!DOCTYPE html>\n<html>\n<head><title>CSRF Player Skin</title></head>\n<body>\n<h1>Loading video...</h1>\n<form id=\"csrf\" method=\"POST\"\n      action=\"https://your-avideo-instance.com/admin/playerUpdate.json.php\">\n  <input type=\"hidden\" name=\"skin\" value=\"minimalist\" />\n</form>\n<script>\n  document.getElementById(\"csrf\").submit();\n</script>\n</body>\n</html>\n```\n\nWhen an authenticated admin visits this page, the platform's player skin is changed without their knowledge.\n\n## Impact\n\n- Platform-wide player appearance modification without admin consent\n- Potential disruption of video playback if an invalid skin value is set\n- The ORM security bypass via `ignoreTableSecurityCheck()` means there is no fallback protection\n- Can be used as part of a broader defacement or social engineering attack\n\n## Recommended Fix\n\nAdd CSRF token validation at `admin/playerUpdate.json.php`, before processing POST data:\n\n```php\n// admin/playerUpdate.json.php (before line 17)\nif (!isGlobalTokenValid()) {\n    die('{\"error\":\"Invalid CSRF token\"}');\n}\n```\n\n---\n*Found by [aisafe.io](https://aisafe.io)*",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "wwbn/avideo"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "last_affected": "26.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-4q27-4rrq-fx95"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/WWBN/AVideo"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-352"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-03T23:43:23Z",
+    "nvd_published_at": null
+  }
+}