Publish Advisories

GHSA-363v-5rh8-23wg
GHSA-584p-rpvq-35vf

Author: advisory-database[bot]

advisories/github-reviewed/2026/03/GHSA-363v-5rh8-23wg/GHSA-363v-5rh8-23wg.json

@@ -0,0 +1,61 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-363v-5rh8-23wg",
+  "modified": "2026-03-26T18:16:39Z",
+  "published": "2026-03-26T18:16:39Z",
+  "aliases": [
+    "CVE-2026-33867"
+  ],
+  "summary": "AVideo has Plaintext Video Password Storage",
+  "details": "### Summary\n\nAVideo allows content owners to password-protect individual videos. The video password is stored in the database in **plaintext** — no hashing, salting, or encryption is applied. If an attacker gains read access to the database (via SQL injection, a database backup, or misconfigured access controls), they obtain all video passwords in cleartext.\n\n### Details\n\n**File:** `objects/video.php`\n\n**Vulnerable setter:**\n```php\npublic function setVideo_password($video_password)\n{\n    AVideoPlugin::onVideoSetVideo_password($this->id, $this->video_password, $video_password);\n    $this->video_password = trim($video_password);\n}\n```\n\n**Vulnerable getter:**\n```php\npublic function getVideo_password()\n{\n    if (empty($this->video_password)) {\n        return '';\n    }\n    return trim($this->video_password);\n}\n```\n\nThe value assigned to `$this->video_password` is only `trim()`-ed before being persisted to the database column `video_password` in the `videos` table. There is no call to any hashing function (e.g., `password_hash()`, `sha256`, or similar).\n\nWhen a visitor enters a password to access a protected video, the comparison is done directly against the stored plaintext:\n```php\n// Comparison at access check:\nif ($video->getVideo_password() === $_POST['password']) { ... }\n```\n\nThis means:\n1. Any database read (SQL injection, backup leak, hosting panel access) exposes all video passwords as cleartext.\n2. Video passwords are often reused by users across other services, making this a credential harvesting risk.\n3. The plaintext value is also present in application memory and any query logs.\n\n### PoC\n\n1. Set a password on any video via the AVideo admin/creator UI.\n2. Query the database: `SELECT clean_title, video_password FROM videos WHERE video_password != '';`\n3. All video passwords are returned in plaintext — no cracking required.\n\nAlternatively, exploit any of the SQL injection vulnerabilities already reported in this repository to extract the `video_password` column directly.\n\n### Impact\n\n- **Type:** Cleartext Storage of Sensitive Information (CWE-312)\n- **Severity:** High\n- **Authentication required:** No — any database read access (including via SQL injection by unauthenticated users) exposes all passwords\n- **Impact:** Full exposure of all video access passwords; credential reuse attacks against users who share passwords across services\n- **Fix:** Hash video passwords on write using `password_hash($video_password, PASSWORD_BCRYPT)` and verify on read using `password_verify($_POST['password'], $stored_hash)`",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "wwbn/avideo"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "last_affected": "26.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-363v-5rh8-23wg"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/WWBN/AVideo/commit/f2d68d2adbf73588ea61be2b781d93120a819e36"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/WWBN/AVideo"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-312"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-26T18:16:39Z",
+    "nvd_published_at": null
+  }
+}

advisories/github-reviewed/2026/03/GHSA-584p-rpvq-35vf/GHSA-584p-rpvq-35vf.json

@@ -0,0 +1,61 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-584p-rpvq-35vf",
+  "modified": "2026-03-26T18:15:11Z",
+  "published": "2026-03-26T18:15:11Z",
+  "aliases": [
+    "CVE-2026-33770"
+  ],
+  "summary": "AVideo has SQL Injection in category.php fixCleanTitle() via Unparameterized clean_title and id Variables",
+  "details": "### Summary\n\nThe `fixCleanTitle()` static method in `objects/category.php` constructs a SQL SELECT query by directly interpolating both `$clean_title` and `$id` into the query string without using prepared statements or parameterized queries. An attacker who can trigger category creation or renaming with a crafted title value can inject arbitrary SQL.\n\n### Details\n\n**File:** `objects/category.php`\n\n**Vulnerable code:**\n```php\npublic static function fixCleanTitle($clean_title, $count, $id, $original_title = \"\")\n{\n    global $global;\n\n    $sql = \"SELECT * FROM categories WHERE clean_name = '{$clean_title}' \";\n    if (!empty($id)) {\n        $sql .= \" AND id != {$id} \";\n    }\n    $sql .= \" LIMIT 1\";\n    $res = sqlDAL::readSql($sql, \"\", [], true);\n    // ...\n}\n```\n\nBoth `$clean_title` (a user-supplied category name after slug conversion) and `$id` (the category ID being edited) are embedded directly into the SQL string. The `$clean_title` value derives from user input through the category save workflow — it is the \"clean\" URL-slug version of whatever category name the user submits. No escaping or parameterization is applied before the value is placed inside single quotes in the query.\n\n### PoC\n\nAn authenticated admin creates or renames a category with the title:\n```\ntest' UNION SELECT username,password,3,4,5,6,7,8,9,10 FROM users-- -\n```\n\nAfter slug conversion (which typically only strips spaces and special characters, leaving SQL metacharacters that survive inside single quotes), the backend executes:\n```sql\nSELECT * FROM categories WHERE clean_name = 'test' UNION SELECT username,password,3,4,5,6,7,8,9,10 FROM users-- -'  LIMIT 1\n```\n\nThis returns rows from the `users` table, enabling full credential exfiltration. The `$id` concatenation point is also injectable via a crafted numeric+SQL-suffix value if integer validation is absent.\n\n### Impact\n\n- **Type:** SQL Injection (CWE-89)\n- **Severity:** High\n- **Authentication required:** Admin-level (category management), though the same pattern may be reachable via lower-privilege paths depending on plugin configuration\n- **Impact:** Full database read; credentials, private video metadata, user PII accessible via UNION injection\n- **Fix:** Replace direct interpolation with parameterized queries — use `?` placeholders and pass `$clean_title` and `(int)$id` as bound parameters",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "wwbn/avideo"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "last_affected": "26.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-584p-rpvq-35vf"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/WWBN/AVideo/commit/994cc2b3d802b819e07e6088338e8bf4e484aae4"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/WWBN/AVideo"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-89"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-26T18:15:11Z",
+    "nvd_published_at": null
+  }
+}