Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit a0b04a6584de · 2026-03-25T14:33:26.000Z
GHSA-8gc5-j5rx-235r GHSA-mwjc-5j4x-r686
diff --git a/advisories/github-reviewed/2026/03/GHSA-8gc5-j5rx-235r/GHSA-8gc5-j5rx-235r.json b/advisories/github-reviewed/2026/03/GHSA-8gc5-j5rx-235r/GHSA-8gc5-j5rx-235r.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-8gc5-j5rx-235r",
-  "modified": "2026-03-20T21:22:15Z",
+  "modified": "2026-03-25T14:31:39Z",
   "published": "2026-03-17T19:45:41Z",
   "aliases": [
     "CVE-2026-33036"
@@ -25,17 +25,33 @@
           "type": "ECOSYSTEM",
           "events": [
             {
-              "introduced": "4.0.0-beta.3"
+              "introduced": "5.0.0"
             },
             {
               "fixed": "5.5.6"
             }
           ]
         }
-      ],
-      "database_specific": {
-        "last_known_affected_version_range": "<= 5.5.5"
-      }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "fast-xml-parser"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "4.0.0-beta.3"
+            },
+            {
+              "fixed": "4.5.5"
+            }
+          ]
+        }
+      ]
     }
   ],
   "references": [
@@ -55,6 +71,10 @@
       "type": "PACKAGE",
       "url": "https://github.com/NaturalIntelligence/fast-xml-parser"
     },
+    {
+      "type": "WEB",
+      "url": "https://github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v4.5.5"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v5.5.6"
diff --git a/advisories/github-reviewed/2026/03/GHSA-mwjc-5j4x-r686/GHSA-mwjc-5j4x-r686.json b/advisories/github-reviewed/2026/03/GHSA-mwjc-5j4x-r686/GHSA-mwjc-5j4x-r686.json
@@ -1,9 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-mwjc-5j4x-r686",
-  "modified": "2026-03-20T21:55:12Z",
+  "modified": "2026-03-25T14:32:36Z",
   "published": "2026-03-20T21:55:12Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-33512"
+  ],
   "summary": "AVideo has an unauthenticated decrypt oracle leaking any ciphertext",
   "details": "### Summary\nThe API plugin exposes a `decryptString` action without any authentication. Anyone can submit ciphertext and receive plaintext. Ciphertext is issued publicly (e.g., `view/url2Embed.json.php`), so any user can recover protected tokens/metadata. Severity: High.\n\n### Details\n- Entry: `plugin/API/get.json.php` is unauthenticated.\n- Handler: `plugin/API/API.php` `get_api_decryptString()` (lines ~5945–5966):\n  ```php\n  $string = decryptString($_REQUEST['string']);\n  return new ApiObject($string, empty($string));\n  ```\n  No APISecret or user check occurs before decrypting.\n- Public ciphertext source: `view/url2Embed.json.php` returns `playLink`/`playEmbedLink` (`encryptString(json_encode(...))`) to any caller.\n\n### PoC\n1. Obtain ciphertext:\n   ```\n   GET /view/url2Embed.json.php?url=https://example.com/video.mp4\n   ```\n   Copy `playLink`.\n2. Decrypt without auth:\n   ```\n   POST /plugin/API/get.json.php?APIName=decryptString\n   Content-Type: application/x-www-form-urlencoded\n\n   string=<playLink ciphertext>\n   ```\n   Response contains the plaintext JSON (videoLink, title, users_id, etc.).\n\n### Impact\n- Any encrypted payload produced by the platform can be decrypted by anyone.\n- Leaks tokens/links intended to be confidential; enables replay and tampering where secrecy was assumed.\n\n### Mitigation\n- Require API secret or authenticated/authorized user for `decryptString`, or remove the endpoint.\n- Prefer one-way signatures (HMAC) instead of exposing generic decryption.\n- Rotate encryption keys/salts after patch to invalidate exposed ciphertexts.",
   "severity": [
@@ -38,6 +40,14 @@
       "type": "WEB",
       "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-mwjc-5j4x-r686"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33512"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/WWBN/AVideo/commit/3fdeecef37bb88967a02ccc9b9acc8da95de1c13"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/WWBN/AVideo"
@@ -53,6 +63,6 @@
     "severity": "HIGH",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-20T21:55:12Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-03-23T19:16:40Z"
   }
 }
