漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
WWBN AVideo has CSRF in configurationUpdate.json.php Enables Full Site Configuration Takeover Including Encoder URL and SMTP Credentials
Vulnerability Description
WWBN AVideo is an open source video platform. In versions 29.0 and prior, `objects/configurationUpdate.json.php` (also routed via `/updateConfig`) persists dozens of global site settings from `$_POST` but protects the endpoint only with `User::isAdmin()`. It does not call `forbidIfIsUntrustedRequest()`, does not verify a `globalToken`, and does not validate the Origin/Referer header. Because AVideo intentionally sets `session.cookie_samesite=None` to support cross-origin iframe embedding, a logged-in administrator who visits an attacker-controlled page will have the browser auto-submit a cross-origin POST that rewrites the site's encoder URL, SMTP credentials, site `<head>` HTML, logo, favicon, contact email, and more in a single request. Commit f9492f5e6123dff0292d5bb3164fde7665dc36b4 contains a fix.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L
Vulnerability Type
跨站请求伪造(CSRF)
Vulnerability Title
WWBN AVideo 跨站请求伪造漏洞
Vulnerability Description
WWBN AVideo是WWBN团队的一个由PHP编写的视频平台建站系统。 WWBN AVideo 29.0及之前版本存在跨站请求伪造漏洞,该漏洞源于objects/configurationUpdate.json.php仅通过User::isAdmin保护端点,未调用forbidIfIsUntrustedRequest、未验证globalToken及Origin/Referer标头,可能导致登录管理员访问恶意页面时,浏览器自动提交跨域POST请求,重写站点编码器URL、SMTP凭据、站点<head> H
CVSS Information
N/A
Vulnerability Type
N/A