Platform
php
Component
wwbn/avideo
Opgelost in
26.0.1
26.0.1
CVE-2026-33649 describes a Cross-Site Request Forgery (CSRF) vulnerability within the wwbn/avideo component, affecting versions up to 26.0. This flaw allows an attacker to manipulate user group permissions without authentication, potentially granting them near-administrator privileges. The vulnerability stems from a lack of CSRF protection on a permission-setting endpoint and insecure cookie configurations, enabling silent privilege escalation.
The impact of CVE-2026-33649 is significant due to the potential for privilege escalation. An attacker can craft a malicious webpage containing an <img> tag that, when visited by an authenticated administrator, will silently modify user group permissions. This allows the attacker to grant their own user group elevated privileges, effectively gaining near-administrator access to the system. The combination of missing CSRF protection and the session.cookie_samesite=None setting makes exploitation relatively straightforward, as the attacker can bypass same-site cookie restrictions. Successful exploitation could lead to unauthorized data access, modification, or deletion, and potentially complete system compromise.
CVE-2026-33649 was published on March 25, 2026. The vulnerability's severity is rated HIGH with a CVSS score of 8.1. Currently, there are no publicly known Proof-of-Concept (POC) exploits. The vulnerability is not listed on KEV or EPSS, suggesting a low to medium probability of active exploitation at this time. Monitor security advisories and threat intelligence feeds for any updates regarding exploitation attempts.
Exploit Status
EPSS
0.02% (6% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2026-33649 is to upgrade to a patched version of wwbn/avideo that addresses the CSRF vulnerability. If upgrading immediately is not possible, consider implementing a temporary workaround by restricting access to the plugin/Permissions/setPermission.json.php endpoint to trusted users only. Additionally, review and tighten cookie security settings, ensuring that session.cookie_samesite is set to Lax or Strict to prevent cross-site cookie access. Implement a Web Application Firewall (WAF) rule to block requests to the vulnerable endpoint with suspicious parameters. After upgrading, confirm the fix by attempting to trigger the permission modification via a crafted URL and verifying that the request is rejected or requires authentication.
Actualizar AVideo a una versión parcheada que corrija la vulnerabilidad CSRF en el endpoint `plugin/Permissions/setPermission.json.php`. Dado que no hay versiones parcheadas disponibles al momento de la publicación, se recomienda monitorear las actualizaciones de seguridad de WWBN y aplicar el parche tan pronto como esté disponible. Como medida temporal, se puede implementar una validación CSRF en el endpoint afectado.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2026-33649 is a Cross-Site Request Forgery (CSRF) vulnerability in wwbn/avideo versions up to 26.0 that allows attackers to escalate privileges by silently modifying user group permissions.
You are affected if you are using wwbn/avideo version 26.0 or earlier. Check your version and upgrade as soon as a patch is available.
The recommended fix is to upgrade to a patched version of wwbn/avideo that addresses the CSRF vulnerability. As a temporary workaround, restrict access to the vulnerable endpoint and review cookie security settings.
Currently, there are no publicly known Proof-of-Concept (POC) exploits or reports of active exploitation, but it's crucial to apply the patch proactively.
Refer to the official wwbn/avideo security advisories and release notes for details on the patch and any related information.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.