Plateforme
php
Composant
wwbn/avideo
Corrigé dans
26.0.1
26.0.1
CVE-2026-33649 describes a Cross-Site Request Forgery (CSRF) vulnerability within the wwbn/avideo component, affecting versions up to 26.0. This flaw allows an attacker to manipulate user group permissions without authentication, potentially granting them near-administrator privileges. The vulnerability stems from a lack of CSRF protection on a permission-setting endpoint and insecure cookie configurations, enabling silent privilege escalation.
The impact of CVE-2026-33649 is significant due to the potential for privilege escalation. An attacker can craft a malicious webpage containing an <img> tag that, when visited by an authenticated administrator, will silently modify user group permissions. This allows the attacker to grant their own user group elevated privileges, effectively gaining near-administrator access to the system. The combination of missing CSRF protection and the session.cookie_samesite=None setting makes exploitation relatively straightforward, as the attacker can bypass same-site cookie restrictions. Successful exploitation could lead to unauthorized data access, modification, or deletion, and potentially complete system compromise.
CVE-2026-33649 was published on March 25, 2026. The vulnerability's severity is rated HIGH with a CVSS score of 8.1. Currently, there are no publicly known Proof-of-Concept (POC) exploits. The vulnerability is not listed on KEV or EPSS, suggesting a low to medium probability of active exploitation at this time. Monitor security advisories and threat intelligence feeds for any updates regarding exploitation attempts.
Statut de l'Exploit
EPSS
0.02% (percentile 6%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2026-33649 is to upgrade to a patched version of wwbn/avideo that addresses the CSRF vulnerability. If upgrading immediately is not possible, consider implementing a temporary workaround by restricting access to the plugin/Permissions/setPermission.json.php endpoint to trusted users only. Additionally, review and tighten cookie security settings, ensuring that session.cookie_samesite is set to Lax or Strict to prevent cross-site cookie access. Implement a Web Application Firewall (WAF) rule to block requests to the vulnerable endpoint with suspicious parameters. After upgrading, confirm the fix by attempting to trigger the permission modification via a crafted URL and verifying that the request is rejected or requires authentication.
Actualizar AVideo a una versión parcheada que corrija la vulnerabilidad CSRF en el endpoint `plugin/Permissions/setPermission.json.php`. Dado que no hay versiones parcheadas disponibles al momento de la publicación, se recomienda monitorear las actualizaciones de seguridad de WWBN y aplicar el parche tan pronto como esté disponible. Como medida temporal, se puede implementar una validación CSRF en el endpoint afectado.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2026-33649 is a Cross-Site Request Forgery (CSRF) vulnerability in wwbn/avideo versions up to 26.0 that allows attackers to escalate privileges by silently modifying user group permissions.
You are affected if you are using wwbn/avideo version 26.0 or earlier. Check your version and upgrade as soon as a patch is available.
The recommended fix is to upgrade to a patched version of wwbn/avideo that addresses the CSRF vulnerability. As a temporary workaround, restrict access to the vulnerable endpoint and review cookie security settings.
Currently, there are no publicly known Proof-of-Concept (POC) exploits or reports of active exploitation, but it's crucial to apply the patch proactively.
Refer to the official wwbn/avideo security advisories and release notes for details on the patch and any related information.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.