CVE-2026-34247— WWBN AVideo 安全漏洞

AVideo's IDOR in uploadPoster.php Allows Any Authenticated User to Overwrite Scheduled Live Stream Posters and Trigger False Socket Notifications

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `plugin/Live/uploadPoster.php` endpoint allows any authenticated user to overwrite the poster image for any scheduled live stream by supplying an arbitrary `live_schedule_id`. The endpoint only checks `User::isLogged()` but never verifies that the authenticated user owns the targeted schedule. After overwriting the poster, the endpoint broadcasts a `socketLiveOFFCallback` notification containing the victim's broadcast key and user ID to all connected WebSocket clients. Commit 5fcb3bdf59f26d65e203cfbc8a685356ba300b60 fixes the issue.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

授权机制缺失

WWBN AVideo 安全漏洞

WWBN AVideo是WWBN团队的一个由PHP编写的视频平台建站系统。 WWBN AVideo 26.0及之前版本存在安全漏洞，该漏洞源于plugin/Live/uploadPoster.php端点缺少所有权检查，可能导致经过身份验证的用户覆盖任意直播计划的海报图像并泄露广播密钥。

N/A

N/A