Plattform
php
Komponente
wwbn/avideo
Behoben in
26.0.1
26.0.1
CVE-2026-34613 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting wwbn/avideo versions up to 26.0. This flaw allows an attacker to disable critical security plugins within the AVideo platform, potentially compromising user authentication and access controls. The vulnerability stems from insufficient CSRF token validation in the objects/pluginSwitch.json.php endpoint and bypasses ORM-level security checks. A fix is available; upgrading to a patched version is recommended.
The primary impact of CVE-2026-34613 is the ability for an attacker to remotely disable security plugins within the AVideo platform. This can be achieved without requiring prior authentication beyond an active administrator session. The objects/pluginSwitch.json.php endpoint, responsible for plugin management, lacks proper CSRF protection. Furthermore, the explicit listing of the plugins table in ignoreTableSecurityCheck() bypasses ORM-level Referer/Origin domain validation, amplifying the attack surface. The SameSite=None attribute on session cookies further facilitates exploitation by allowing cross-domain requests. Disabling plugins like LoginControl (2FA), subscription enforcement, or access control mechanisms can lead to unauthorized access, data breaches, and complete system compromise. Successful exploitation could result in a significant loss of data integrity and confidentiality.
CVE-2026-34613 was publicly disclosed on 2026-04-01. The vulnerability's severity is currently assessed as MEDIUM (CVSS 6.5). There is no indication of this vulnerability being added to the CISA KEV catalog at this time. The absence of a public proof-of-concept (POC) does not diminish the risk, as the vulnerability's nature makes it relatively straightforward to exploit. Active campaigns targeting this vulnerability are not currently known, but the ease of exploitation warrants proactive mitigation.
Organizations utilizing wwbn/avideo for video management and streaming, particularly those with administrator accounts and deployed plugins for authentication, subscription management, or access control, are at risk. Shared hosting environments where multiple users share the same AVideo instance are especially vulnerable, as an attacker could potentially exploit the vulnerability on behalf of another user.
• php: Examine the objects/pluginSwitch.json.php file for missing CSRF token validation. Search for the ignoreTableSecurityCheck() function call and its impact on ORM security checks.
grep -r 'ignoreTableSecurityCheck' /path/to/avideo• php: Monitor access logs for requests to objects/pluginSwitch.json.php originating from unexpected or unauthorized sources.
grep 'pluginSwitch.json.php' /var/log/apache2/access.log• generic web: Check session cookie attributes for SameSite=None. This configuration increases the risk of CSRF attacks.
curl -I https://your-avideo-site.com | grep Set-Cookiedisclosure
Exploit-Status
EPSS
0.02% (3% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-34613 is to upgrade to a patched version of wwbn/avideo. Unfortunately, the specific fixed version is not provided. If upgrading immediately is not feasible, consider implementing temporary workarounds. Implement strict input validation and output encoding on all user-supplied data to minimize the risk of CSRF attacks. Consider using a Web Application Firewall (WAF) with CSRF protection rules to block malicious requests. Review and restrict access to the objects/pluginSwitch.json.php endpoint, limiting access to trusted administrators only. Monitor AVideo logs for suspicious activity, particularly requests to disable plugins. After upgrading, confirm the fix by attempting a CSRF attack against the objects/pluginSwitch.json.php endpoint and verifying that the request is rejected.
Aktualisieren Sie AVideo auf eine Version nach 26.0, in der die CSRF-Token-Validierung am Endpunkt objects/pluginSwitch.json.php implementiert wurde. Dies verhindert, dass ein Angreifer kritische Sicherheitsplugins über CSRF-Angriffe deaktiviert.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-34613 is a CSRF vulnerability in wwbn/avideo versions up to 26.0, allowing attackers to disable security plugins.
If you are running wwbn/avideo version 26.0 or earlier, you are potentially affected by this vulnerability.
Upgrade to a patched version of wwbn/avideo. If immediate upgrade is not possible, implement temporary workarounds like WAF rules and input validation.
While there are no confirmed reports of active exploitation, the vulnerability's ease of exploitation warrants proactive mitigation.
Refer to the wwbn/avideo security advisories for the latest information and official guidance on CVE-2026-34613.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.