WWBN AVideo présente une vulnérabilité CSRF dans configurationUpdate.json.php. Permet une prise de contrôle complète de la configuration du site, y compris l'URL de l'encodeur et les informations d'identification SMTP.
Plateforme
php
Composant
avideo
Corrigé dans
29.0.1
CVE-2026-40925 describes a Cross-Site Request Forgery (CSRF) vulnerability within the objects/configurationUpdate.json.php endpoint of AVideo. This flaw allows an attacker to modify critical site configurations, potentially gaining unauthorized access and control. The vulnerability impacts AVideo versions 1.0.0 up to and including 29.0, and a fix is available in version 29.1.
Impact et Scénarios d'Attaquetraduction en cours…
The primary impact of CVE-2026-40925 is the ability for an attacker to remotely modify AVideo's site configuration. Because the endpoint lacks proper CSRF protection, a malicious website can craft a POST request that, when visited by an authenticated administrator, will silently update the site's settings. This includes sensitive information like encoder URLs, SMTP credentials, and other global configurations. Successful exploitation could lead to unauthorized video encoding, email spoofing, and ultimately, complete compromise of the AVideo instance. The session.cookie_samesite=None setting, intentionally enabled for cross-origin iframe embedding, exacerbates the vulnerability by allowing cross-origin POST requests, making exploitation significantly easier.
Contexte d'Exploitationtraduction en cours…
CVE-2026-40925 was published on 2026-04-21. Its severity is rated HIGH (CVSS 8.3). There are currently no publicly known active campaigns exploiting this vulnerability. The lack of a globalToken and the reliance on User::isAdmin() for authorization, combined with the permissive Origin header handling, mirrors patterns seen in other CSRF vulnerabilities, but no direct precedent is immediately apparent. The vulnerability is not listed on KEV or EPSS at this time.
Renseignement sur les Menaces
Statut de l'Exploit
EPSS
0.02% (percentile 5%)
CISA SSVC
Vecteur CVSS
Que signifient ces métriques?
- Attack Vector
- Réseau — exploitable à distance via internet. Aucun accès physique ou local requis.
- Attack Complexity
- Faible — aucune condition spéciale requise. Exploitable de manière fiable.
- Privileges Required
- Aucun — sans authentification. Aucune identifiant requis pour exploiter.
- User Interaction
- Requise — la victime doit ouvrir un fichier, cliquer sur un lien ou visiter une page.
- Scope
- Inchangé — impact limité au composant vulnérable.
- Confidentiality
- Élevé — perte totale de confidentialité. L'attaquant peut lire toutes les données.
- Integrity
- Élevé — l'attaquant peut écrire, modifier ou supprimer toutes les données.
- Availability
- Faible — déni de service partiel ou intermittent.
Logiciel Affecté
Classification de Faiblesse (CWE)
Chronologie
- Réservé
- Publiée
- EPSS mis à jour
Mitigation et Contournementstraduction en cours…
The primary mitigation for CVE-2026-40925 is to upgrade AVideo to version 29.1 or later, which includes the necessary CSRF protection. If upgrading immediately is not feasible, consider implementing a temporary workaround by restricting access to the /updateConfig endpoint to trusted origins only. This can be achieved through web application firewall (WAF) rules or proxy configurations that enforce strict Origin header validation. Additionally, monitor AVideo logs for suspicious POST requests to the /updateConfig endpoint, looking for unexpected changes in configuration values. After upgrading, confirm the fix by attempting a cross-origin POST request to /updateConfig from a different domain; the request should be rejected.
Comment corriger
Mettez à jour AVideo à la version 29.1 ou supérieure pour atténuer la vulnérabilité. Cette mise à jour implémente une validation appropriée des requêtes POST, empêchant la modification non autorisée de la configuration du site via des attaques CSRF.
Newsletter Sécurité CVE
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
Questions fréquentestraduction en cours…
What is CVE-2026-40925 — CSRF in AVideo Configuration Update?
CVE-2026-40925 is a Cross-Site Request Forgery (CSRF) vulnerability in AVideo versions 1.0.0 through 29.0. It allows attackers to modify site configurations via a POST request, potentially compromising the entire AVideo instance.
Am I affected by CVE-2026-40925 in AVideo?
You are affected if you are running AVideo versions 1.0.0 through 29.0 and have not yet upgraded. The vulnerability is easily exploitable due to the lack of CSRF protection on the configuration update endpoint.
How do I fix CVE-2026-40925 in AVideo?
Upgrade AVideo to version 29.1 or later. As a temporary workaround, restrict access to the /updateConfig endpoint using a WAF or proxy to enforce Origin header validation.
Is CVE-2026-40925 being actively exploited?
As of the publication date, there are no publicly known active campaigns exploiting CVE-2026-40925. However, the vulnerability's ease of exploitation warrants immediate attention and remediation.
Where can I find the official AVideo advisory for CVE-2026-40925?
Refer to the AVideo security advisory published on 2026-04-21 for detailed information and remediation steps. Check the AVideo website or their official communication channels for the latest updates.
Ton projet est-il affecté ?
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.