Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit a59b2cbf778f · 2026-04-04T06:18:36.000Z
GHSA-2vg4-rrx4-qcpq GHSA-3v7m-qg4x-58h9 GHSA-737v-mqg7-c878 GHSA-99j6-hj87-6fcf GHSA-hg8q-8wqr-35xx
diff --git a/advisories/github-reviewed/2026/04/GHSA-2vg4-rrx4-qcpq/GHSA-2vg4-rrx4-qcpq.json b/advisories/github-reviewed/2026/04/GHSA-2vg4-rrx4-qcpq/GHSA-2vg4-rrx4-qcpq.json
@@ -0,0 +1,57 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2vg4-rrx4-qcpq",
+  "modified": "2026-04-04T06:16:49Z",
+  "published": "2026-04-04T06:16:49Z",
+  "aliases": [
+    "CVE-2026-35450"
+  ],
+  "summary": "AVideo: Unauthenticated FFmpeg Remote Server Status Disclosure via check.ffmpeg.json.php",
+  "details": "## Summary\n\nThe `plugin/API/check.ffmpeg.json.php` endpoint probes the FFmpeg remote server configuration and returns connectivity status without any authentication. All sibling FFmpeg management endpoints (`kill.ffmpeg.json.php`, `list.ffmpeg.json.php`, `ffmpeg.php`) require `User::isAdmin()`.\n\n## Details\n\nThe entire file at `plugin/API/check.ffmpeg.json.php`:\n\n```php\n<?php\n$configFile = __DIR__.'/../../videos/configuration.php';\nrequire_once $configFile;\nheader('Content-Type: application/json');\n\n$obj = testFFMPEGRemote();\n\ndie(json_encode($obj));\n```\n\nNo `User::isAdmin()`, `User::isLogged()`, or any access control check exists.\n\nCompare with sibling endpoints in the same directory:\n- `kill.ffmpeg.json.php` checks `User::isAdmin()`\n- `list.ffmpeg.json.php` checks `User::isAdmin()`\n\n## Proof of Concept\n\n```bash\ncurl \"https://your-avideo-instance.com/plugin/API/check.ffmpeg.json.php\"\n```\n\nReturns information about whether the platform uses a standalone FFmpeg server and its current reachability.\n\n## Impact\n\nInfrastructure reconnaissance revealing the encoding architecture. Limited direct impact but aids targeted attack planning.\n\n## Recommended Fix\n\nAdd an admin authentication check at `plugin/API/check.ffmpeg.json.php:3`, after `require_once $configFile;`:\n\n```php\nif (!User::isAdmin()) {\n    forbiddenPage('Admin only');\n}\n```\n\n---\n*Found by [aisafe.io](https://aisafe.io)*",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "wwbn/avideo"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "last_affected": "26.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-2vg4-rrx4-qcpq"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/WWBN/AVideo"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-306"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-04T06:16:49Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/04/GHSA-3v7m-qg4x-58h9/GHSA-3v7m-qg4x-58h9.json b/advisories/github-reviewed/2026/04/GHSA-3v7m-qg4x-58h9/GHSA-3v7m-qg4x-58h9.json
@@ -0,0 +1,57 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-3v7m-qg4x-58h9",
+  "modified": "2026-04-04T06:15:37Z",
+  "published": "2026-04-04T06:15:37Z",
+  "aliases": [
+    "CVE-2026-35448"
+  ],
+  "summary": "AVideo: Unauthenticated Access to Payment Order Data via BlockonomicsYPT check.php",
+  "details": "## Summary\n\nThe BlockonomicsYPT plugin's `check.php` endpoint returns payment order data for any Bitcoin address without requiring authentication. The endpoint was designed as an AJAX polling helper for the authenticated `invoice.php` page, but it performs no access control checks of its own. Since Bitcoin addresses are publicly visible on the blockchain, an attacker can query payment records for any address used on the platform.\n\n## Details\n\nIn `plugin/BlockonomicsYPT/check.php` at lines 20-30, the endpoint accepts a Bitcoin address and returns the corresponding order data:\n\n```php\n$addr = $_GET['addr'];\n$order = new BlockonomicsOrder(0);\n$obj = $order->getFromAddressFromDb($addr);\ndie(json_encode($obj));\n```\n\nThere is no authentication check. The endpoint does not verify that the requesting user is logged in, nor does it verify that the requesting user owns the order associated with the given address.\n\nThe response includes:\n- User ID of the buyer\n- Total payment value\n- Currency\n- BTC amounts (expected and received)\n- Transaction ID\n- Payment status\n\nThe `invoice.php` page that was designed to consume this endpoint does require authentication, but `check.php` itself does not inherit or enforce that requirement.\n\nBitcoin addresses are publicly queryable on the blockchain, so an attacker does not need to guess them. Addresses associated with the platform can be discovered by monitoring blockchain transactions to known platform wallets.\n\nThe BlockonomicsYPT plugin is tagged as deprecated by the AVideo project, but remains available and functional in current installations.\n\n## Proof of Concept\n\n```bash\n# Query payment data for a known Bitcoin address without authentication\ncurl \"https://your-avideo-instance.com/plugin/BlockonomicsYPT/check.php?addr=1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa\"\n```\n\nExample response:\n\n```json\n{\n  \"id\": 42,\n  \"users_id\": 15,\n  \"value\": \"29.99\",\n  \"currency\": \"USD\",\n  \"btc_value\": \"0.00085\",\n  \"btc_received\": \"0.00085\",\n  \"txid\": \"abc123def456...\",\n  \"status\": \"confirmed\",\n  \"created\": \"2025-01-15 10:30:00\"\n}\n```\n\nNo session cookie or API key is required.\n\n## Impact\n\n- Unauthenticated disclosure of payment order data including user IDs, amounts, and transaction details\n- Bitcoin addresses are publicly discoverable on the blockchain\n- Links on-chain transactions to specific platform user IDs\n- Privacy violation for users who made cryptocurrency payments on the platform\n- Plugin is deprecated but still functional in existing deployments\n\n## Recommended Fix\n\nAdd an authentication check at `plugin/BlockonomicsYPT/check.php:17`:\n\n```php\nif (!User::isLogged()) {\n    echo json_encode([\"error\" => \"Login required\"]);\n    exit;\n}\n```\n\n---\n*Found by [aisafe.io](https://aisafe.io)*",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "wwbn/avideo"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "last_affected": "26.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-3v7m-qg4x-58h9"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/WWBN/AVideo"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-862"
+    ],
+    "severity": "LOW",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-04T06:15:37Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/04/GHSA-737v-mqg7-c878/GHSA-737v-mqg7-c878.json b/advisories/github-reviewed/2026/04/GHSA-737v-mqg7-c878/GHSA-737v-mqg7-c878.json
@@ -0,0 +1,60 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-737v-mqg7-c878",
+  "modified": "2026-04-04T06:17:53Z",
+  "published": "2026-04-04T06:17:53Z",
+  "aliases": [
+    "CVE-2026-35209"
+  ],
+  "summary": "defu: Prototype pollution via `__proto__` key in defaults argument",
+  "details": "### Impact\n\nApplications that pass unsanitized user input (e.g. parsed JSON request bodies, database records, or config files from untrusted sources) as the first argument to `defu()` are vulnerable to prototype pollution.\n\nA crafted payload containing a `__proto__` key can override intended default values in the merged result:\n\n```js\nimport { defu } from 'defu'\n\nconst userInput = JSON.parse('{\"__proto__\":{\"isAdmin\":true}}')\nconst config = defu(userInput, { isAdmin: false })\n\nconfig.isAdmin // true — attacker overrides the server default\n```\n\n### Root Cause\n\nThe internal `_defu` function used `Object.assign({}, defaults)` to copy the defaults object. `Object.assign` invokes the `__proto__` setter, which replaces the resulting object's `[[Prototype]]` with attacker-controlled values. Properties inherited from the polluted prototype then bypass the existing `__proto__` key guard in the `for...in` loop and land in the final result.\n\n### Fix\n\nReplace `Object.assign({}, defaults)` with object spread (`{ ...defaults }`), which uses `[[DefineOwnProperty]]` and does not invoke the `__proto__` setter.\n\n### Affected Versions\n\n<= 6.1.4\n\n### Credits\n\nReported by [@BlackHatExploitation](https://github.com/BlackHatExploitation)",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "defu"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "6.1.5"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 6.1.4"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/unjs/defu/security/advisories/GHSA-737v-mqg7-c878"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/unjs/defu"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-1321"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-04T06:17:53Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/04/GHSA-99j6-hj87-6fcf/GHSA-99j6-hj87-6fcf.json b/advisories/github-reviewed/2026/04/GHSA-99j6-hj87-6fcf/GHSA-99j6-hj87-6fcf.json
@@ -0,0 +1,57 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-99j6-hj87-6fcf",
+  "modified": "2026-04-04T06:17:17Z",
+  "published": "2026-04-04T06:17:17Z",
+  "aliases": [
+    "CVE-2026-35452"
+  ],
+  "summary": "AVideo: Unauthenticated Information Disclosure via Missing Auth on CloneSite client.log.php",
+  "details": "## Summary\n\nThe `plugin/CloneSite/client.log.php` endpoint serves the clone operation log file without any authentication. Every other endpoint in the CloneSite plugin directory enforces `User::isAdmin()`. The log contains internal filesystem paths, remote server URLs, and SSH connection metadata.\n\n## Details\n\nThe entire file at `plugin/CloneSite/client.log.php`:\n\n```php\n<?php\ninclude '../../videos/cache/clones/client.log';\n```\n\nNo authentication check. The log file is populated by `cloneClient.json.php` which writes operational details during clone operations:\n\n```php\n// plugin/CloneSite/cloneClient.json.php:118\n$log->add(\"Clone (2 of {$totalSteps}): Geting MySQL Dump file [$cmd]\");\n```\n\nThe `$cmd` variable contains wget commands with internal filesystem paths, and rsync command templates with SSH connection details (username, IP, port).\n\nCompare with sibling endpoints:\n- `plugin/CloneSite/index.php` checks `User::isAdmin()`\n- `plugin/CloneSite/changeStatus.json.php` checks `User::isAdmin()`\n- `plugin/CloneSite/clones.json.php` checks `User::isAdmin()`\n- `plugin/CloneSite/delete.json.php` checks `User::isAdmin()`\n\n## Proof of Concept\n\n```bash\ncurl \"https://your-avideo-instance.com/plugin/CloneSite/client.log.php\"\n```\n\nIf the CloneSite feature has been used, the response contains wget commands, filesystem paths, SSH metadata, and SQL dump file locations.\n\n## Impact\n\nUnauthenticated disclosure of internal infrastructure details that could aid targeted attacks against the clone source server.\n\n## Recommended Fix\n\nAdd an admin authentication check at `plugin/CloneSite/client.log.php`, before the include:\n\n```php\nrequire_once '../../videos/configuration.php';\nif (!User::isAdmin()) {\n    http_response_code(403);\n    die('Access denied');\n}\n```\n\n---\n*Found by [aisafe.io](https://aisafe.io)*",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "wwbn/avideo"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "last_affected": "26.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-99j6-hj87-6fcf"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/WWBN/AVideo"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-200"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-04T06:17:17Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/04/GHSA-hg8q-8wqr-35xx/GHSA-hg8q-8wqr-35xx.json b/advisories/github-reviewed/2026/04/GHSA-hg8q-8wqr-35xx/GHSA-hg8q-8wqr-35xx.json
@@ -0,0 +1,57 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-hg8q-8wqr-35xx",
+  "modified": "2026-04-04T06:16:18Z",
+  "published": "2026-04-04T06:16:18Z",
+  "aliases": [
+    "CVE-2026-35449"
+  ],
+  "summary": "AVideo: Unauthenticated Information Disclosure via Disabled CLI Guard in install/test.php",
+  "details": "## Summary\n\nThe `install/test.php` diagnostic script has its CLI-only access guard disabled by commenting out the `die()` statement. The script remains accessible via HTTP after installation, exposing video viewer statistics including IP addresses, session IDs, and user agents to unauthenticated visitors.\n\n## Details\n\nThe disabled guard at `install/test.php:5-7`:\n\n```php\nif (!isCommandLineInterface()) {\n    //return die('Command Line only');\n}\n```\n\nThe script also enables verbose error reporting:\n\n```php\nerror_reporting(E_ALL);\nini_set('display_errors', '1');\n```\n\nIt then queries `VideoStatistic::getLastStatistics()` and outputs the result via `var_dump()`:\n\n```php\n$resp = VideoStatistic::getLastStatistics(getVideos_id(), User::getId());\nvar_dump($resp);\n```\n\nThe `VideoStatistic` object contains: `ip` (viewer IP address), `session_id`, `user_agent`, `users_id`, and JSON metadata. The `display_errors=1` setting also leaks internal filesystem paths in any PHP warnings.\n\nThe `install/` directory is not restricted by `.htaccess` (it only disables directory listing via `Options -Indexes`) and no web server rules block access to individual PHP files in this directory.\n\n## Proof of Concept\n\n```bash\n# Request viewer stats for video ID 1\ncurl \"https://your-avideo-instance.com/install/test.php?videos_id=1\"\n```\n\nConfirmed accessible on live AVideo instances (HTTP 200).\n\n## Impact\n\nUnauthenticated disclosure of viewer IP addresses (PII under GDPR), session identifiers, and user agents. The enabled `display_errors` also reveals internal server paths on errors.\n\n- **CWE**: CWE-200 (Exposure of Sensitive Information)\n- **Severity**: Low\n\n## Recommended Fix\n\nUncomment the CLI guard at `install/test.php:6` to restore the intended access restriction:\n\n```php\nif (!isCommandLineInterface()) {\n    return die('Command Line only');\n}\n```\n\n---\n*Found by [aisafe.io](https://aisafe.io)*",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "wwbn/avideo"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "last_affected": "26.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-hg8q-8wqr-35xx"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/WWBN/AVideo"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-200"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-04T06:16:18Z",
+    "nvd_published_at": null
+  }
+}
