Plataforma
php
Componente
wwbn/avideo
Corrigido em
26.0.1
26.0.1
A critical Server-Side Request Forgery (SSRF) vulnerability has been identified in the plugin/Live/standAloneFiles/saveDVR.json.php file of the AVideo Live plugin. This flaw allows attackers to trigger server-side requests to arbitrary internal or external resources by manipulating the webSiteRootURL parameter. Versions of the plugin prior to 26.0 are affected, and an upgrade is required to address this vulnerability. The vulnerability was publicly disclosed on 2026-03-19.
The SSRF vulnerability in the AVideo Live plugin allows an attacker to craft malicious requests that the server will execute. Because the webSiteRootURL parameter is used directly in filegetcontents() without validation, an attacker can control the destination of these requests. This could lead to the exposure of sensitive internal resources, such as configuration files, database credentials, or internal APIs. Furthermore, an attacker could potentially use the server as a proxy to scan internal networks or interact with other internal services, leading to lateral movement within the network. The standalone deployment model exacerbates the risk, as it is intended for environments where the plugin has greater access to internal resources.
This vulnerability is considered high probability due to the ease of exploitation and the lack of authentication or validation. Public proof-of-concept code is likely to emerge given the straightforward nature of the SSRF. The vulnerability was published on 2026-03-19, and it is reasonable to expect active scanning and potential exploitation attempts. No KEV listing or confirmed exploitation reports are currently available.
Organizations utilizing the AVideo Live plugin in standalone mode are particularly at risk. This includes deployments where the plugin is used to stream live video content and requires direct access to internal resources for configuration or data storage. Shared hosting environments where multiple users share the same server instance are also vulnerable, as a compromised plugin instance could potentially be used to attack other users on the same server.
• php: Examine access logs for requests to plugin/Live/standAloneFiles/saveDVR.json.php with unusual values in the webSiteRootURL parameter. Look for requests using protocols like file:// or gopher://.
grep 'saveDVR.json.php.*webSiteRootURL=' /var/log/apache2/access.log• generic web: Use curl to test the endpoint with a crafted webSiteRootURL parameter pointing to an internal resource. Verify that the server attempts to access the resource.
curl 'http://your-avideo-server/plugin/Live/standAloneFiles/saveDVR.json.php?webSiteRootURL=http://localhost/sensitive_data' -sdisclosure
Status do Exploit
EPSS
0.08% (percentil 24%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2026-33351 is to upgrade the AVideo Live plugin to version 26.0 or later, which includes the necessary fix. If upgrading immediately is not possible, consider implementing a Web Application Firewall (WAF) rule to block requests containing suspicious values in the webSiteRootURL parameter. Specifically, look for unusual protocols (e.g., file://, gopher://) or internal IP addresses. Additionally, restrict network access to the server hosting the plugin to only allow necessary connections. After upgrading, verify the fix by attempting to access an internal resource via the vulnerable parameter; the request should be rejected.
Atualize AVideo para a versão 26.0 ou superior. Esta versão contém uma correção para a vulnerabilidade SSRF no plugin Live.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2026-33351 is a critical SSRF vulnerability in the AVideo Live plugin, allowing attackers to make server-side requests to arbitrary resources. Versions affected are those prior to 26.0.
You are affected if you are using the AVideo Live plugin in standalone mode and are running a version prior to 26.0.
Upgrade the AVideo Live plugin to version 26.0 or later. As a temporary workaround, implement a WAF rule to block suspicious webSiteRootURL values.
While no confirmed exploitation is currently reported, the ease of exploitation suggests a high probability of active scanning and potential attacks.
Refer to the official AVideo security advisory for detailed information and updates regarding CVE-2026-33351.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.