WWBN AVideo hat CSRF in configurationUpdate.json.php. Ermöglicht vollständige Übernahme der Konfiguration der Website, einschließlich Encoder URL und SMTP-Anmeldeinformationen
Plattform
php
Komponente
avideo
Behoben in
29.0.1
CVE-2026-40925 describes a Cross-Site Request Forgery (CSRF) vulnerability within the objects/configurationUpdate.json.php endpoint of AVideo. This flaw allows an attacker to modify critical site configurations, potentially gaining unauthorized access and control. The vulnerability impacts AVideo versions 1.0.0 up to and including 29.0, and a fix is available in version 29.1.
Auswirkungen und Angriffsszenarienwird übersetzt…
The primary impact of CVE-2026-40925 is the ability for an attacker to remotely modify AVideo's site configuration. Because the endpoint lacks proper CSRF protection, a malicious website can craft a POST request that, when visited by an authenticated administrator, will silently update the site's settings. This includes sensitive information like encoder URLs, SMTP credentials, and other global configurations. Successful exploitation could lead to unauthorized video encoding, email spoofing, and ultimately, complete compromise of the AVideo instance. The session.cookie_samesite=None setting, intentionally enabled for cross-origin iframe embedding, exacerbates the vulnerability by allowing cross-origin POST requests, making exploitation significantly easier.
Ausnutzungskontextwird übersetzt…
CVE-2026-40925 was published on 2026-04-21. Its severity is rated HIGH (CVSS 8.3). There are currently no publicly known active campaigns exploiting this vulnerability. The lack of a globalToken and the reliance on User::isAdmin() for authorization, combined with the permissive Origin header handling, mirrors patterns seen in other CSRF vulnerabilities, but no direct precedent is immediately apparent. The vulnerability is not listed on KEV or EPSS at this time.
Bedrohungsanalyse
Exploit-Status
EPSS
0.02% (5% Perzentil)
CISA SSVC
CVSS-Vektor
Was bedeuten diese Metriken?
- Attack Vector
- Netzwerk — aus der Ferne über das Internet ausnutzbar. Kein physischer oder lokaler Zugriff erforderlich.
- Attack Complexity
- Niedrig — keine besonderen Bedingungen erforderlich. Zuverlässig ausnutzbar.
- Privileges Required
- Keine — ohne Authentifizierung ausnutzbar. Keine Zugangsdaten erforderlich.
- User Interaction
- Erforderlich — Opfer muss eine Datei öffnen, auf einen Link klicken oder eine Seite besuchen.
- Scope
- Unverändert — Auswirkung auf das anfällige Komponente beschränkt.
- Confidentiality
- Hoch — vollständiger Vertraulichkeitsverlust. Angreifer kann alle Daten lesen.
- Integrity
- Hoch — Angreifer kann beliebige Daten schreiben, ändern oder löschen.
- Availability
- Niedrig — partieller oder intermittierender Denial of Service.
Betroffene Software
Schwachstellen-Klassifikation (CWE)
Zeitleiste
- Reserviert
- Veröffentlicht
- EPSS aktualisiert
Mitigation und Workaroundswird übersetzt…
The primary mitigation for CVE-2026-40925 is to upgrade AVideo to version 29.1 or later, which includes the necessary CSRF protection. If upgrading immediately is not feasible, consider implementing a temporary workaround by restricting access to the /updateConfig endpoint to trusted origins only. This can be achieved through web application firewall (WAF) rules or proxy configurations that enforce strict Origin header validation. Additionally, monitor AVideo logs for suspicious POST requests to the /updateConfig endpoint, looking for unexpected changes in configuration values. After upgrading, confirm the fix by attempting a cross-origin POST request to /updateConfig from a different domain; the request should be rejected.
So beheben
Aktualisieren Sie AVideo auf Version 29.1 oder höher, um die Schwachstelle zu beheben. Dieses Update implementiert eine ordnungsgemäße Validierung von POST-Anfragen und verhindert so die unautorisierte Änderung der Website-Konfiguration durch CSRF-Angriffe.
CVE-Sicherheitsnewsletter
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
Häufig gestellte Fragenwird übersetzt…
What is CVE-2026-40925 — CSRF in AVideo Configuration Update?
CVE-2026-40925 is a Cross-Site Request Forgery (CSRF) vulnerability in AVideo versions 1.0.0 through 29.0. It allows attackers to modify site configurations via a POST request, potentially compromising the entire AVideo instance.
Am I affected by CVE-2026-40925 in AVideo?
You are affected if you are running AVideo versions 1.0.0 through 29.0 and have not yet upgraded. The vulnerability is easily exploitable due to the lack of CSRF protection on the configuration update endpoint.
How do I fix CVE-2026-40925 in AVideo?
Upgrade AVideo to version 29.1 or later. As a temporary workaround, restrict access to the /updateConfig endpoint using a WAF or proxy to enforce Origin header validation.
Is CVE-2026-40925 being actively exploited?
As of the publication date, there are no publicly known active campaigns exploiting CVE-2026-40925. However, the vulnerability's ease of exploitation warrants immediate attention and remediation.
Where can I find the official AVideo advisory for CVE-2026-40925?
Refer to the AVideo security advisory published on 2026-04-21 for detailed information and remediation steps. Check the AVideo website or their official communication channels for the latest updates.
Ist dein Projekt betroffen?
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.