Platform
other
Component
avideo
Fixed in
8.1.1
CVE-2020-37158 describes a cross-site request forgery (CSRF) vulnerability discovered in AVideo Platform version 8.1. This flaw allows attackers to manipulate user accounts by exploiting the password recovery process, potentially leading to unauthorized access and data compromise. The vulnerability was publicly disclosed on 2026-02-11, and a fix is expected in a future release.
The primary impact of CVE-2020-37158 is the ability for an attacker to reset a user's password without their knowledge or consent. By crafting malicious requests targeting the recoverPass endpoint and leveraging a valid recovery token, an attacker can effectively take control of a user's account. This could lead to unauthorized access to sensitive data, modification of user profiles, or even the execution of actions on behalf of the compromised user. The blast radius extends to all users of AVideo Platform 8.1 who utilize the password recovery feature, making it a widespread concern.
As of the public disclosure date (2026-02-11), there is no indication of active exploitation campaigns targeting CVE-2020-37158. Public proof-of-concept (POC) code is currently unavailable. The vulnerability is not listed on the CISA KEV catalog. The CVSS score of 5.3 (MEDIUM) suggests a moderate probability of exploitation if a suitable exploit is developed and widely distributed.
Exploit Status
EPSS
0.02% (5% percentile)
CISA SSVC
CVSS Vector
The recommended mitigation for CVE-2020-37158 is to upgrade to a patched version of AVideo Platform as soon as it becomes available. Until a patch is released, consider implementing temporary workarounds such as requiring multi-factor authentication (MFA) for all user accounts. Implementing strict input validation and output encoding on the recoverPass endpoint can also help reduce the attack surface. Monitor access logs for suspicious activity related to password reset requests.
Update AVideo Platform to a version later than 8.1 to fix the CSRF vulnerability. Refer to the AVideo website for the latest version and upgrade instructions.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2020-37158 is a cross-site request forgery vulnerability in AVideo Platform version 8.1 that allows attackers to reset user passwords without authentication.
If you are using AVideo Platform version 8.1 and utilize the password recovery feature, you are potentially affected by this vulnerability.
Upgrade to a patched version of AVideo Platform as soon as it becomes available. Until then, implement workarounds like MFA and input validation.
As of the public disclosure date, there is no evidence of active exploitation of CVE-2020-37158.
Please refer to the AVideo Platform security advisories page for updates and official information regarding CVE-2020-37158.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.