GHSA-4q27-4rrq-fx95

Source

https://github.com/advisories/GHSA-4q27-4rrq-fx95

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-4q27-4rrq-fx95/GHSA-4q27-4rrq-fx95.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-4q27-4rrq-fx95

Aliases

CVE-2026-35181

Published

2026-04-03T23:43:23Z

Modified

2026-04-06T23:49:41.477759Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N CVSS Calculator

Summary

AVideo: CSRF on Player Skin Configuration via admin/playerUpdate.json.php

Details

Severity: Medium CWE: CWE-352 (Cross-Site Request Forgery)

Summary

The player skin configuration endpoint at admin/playerUpdate.json.php does not validate CSRF tokens. The plugins table is explicitly excluded from the ORM's domain-based security check via ignoreTableSecurityCheck(), removing the only other layer of defense. Combined with SameSite=None cookies, a cross-origin POST can modify the video player appearance on the entire platform.

Details

In admin/playerUpdate.json.php at line 17, the player skin is set directly from POST data:

$pluginDO->skin = $_POST['skin'];

No CSRF token is validated anywhere in the endpoint. Normally, the ORM layer performs a Referer/Origin domain check as a secondary defense against cross-origin writes. However, the plugins table is registered in ignoreTableSecurityCheck(), which explicitly bypasses this ORM-level protection for plugin configuration.

AVideo's session cookies are configured with SameSite=None, meaning the admin's authenticated session cookie is automatically included in cross-origin POST requests from any website.

An attacker can craft a page that, when visited by an authenticated admin, silently changes the player skin to any value, including potentially invalid or disruptive configurations.

Proof of Concept

Host the following HTML on an attacker-controlled domain:

<!DOCTYPE html>


<html>
<head><title>CSRF Player Skin</title></head>
<body>
<h1>Loading video...</h1>
<form id="csrf" method="POST"
      action="https://your-avideo-instance.com/admin/playerUpdate.json.php">
  <input type="hidden" name="skin" value="minimalist" />
</form>
<script>
  document.getElementById("csrf").submit();
</script>
</body>
</html>

When an authenticated admin visits this page, the platform's player skin is changed without their knowledge.

Impact

Platform-wide player appearance modification without admin consent
Potential disruption of video playback if an invalid skin value is set
The ORM security bypass via ignoreTableSecurityCheck() means there is no fallback protection
Can be used as part of a broader defacement or social engineering attack

Recommended Fix

Add CSRF token validation at admin/playerUpdate.json.php, before processing POST data:

// admin/playerUpdate.json.php (before line 17)
if (!isGlobalTokenValid()) {
    die('{"error":"Invalid CSRF token"}');
}

Found by aisafe.io

Database specific

{
    "github_reviewed": true,
    "nvd_published_at": "2026-04-06T20:16:26Z",
    "cwe_ids": [
        "CWE-352"
    ],
    "github_reviewed_at": "2026-04-03T23:43:23Z",
    "severity": "MODERATE"
}

References

Affected packages

Packagist / wwbn/avideo

Package

Name: wwbn/avideo
Purl: pkg:composer/wwbn/avideo

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

26.0

Affected versions

10.*

10.4

10.8

Other

11.*

11.1

11.1.1

11.5

11.6

12.*

12.4

14.*

14.3

14.3.1

14.4

18.*

18.0

21.*

21.0

22.*

22.0

24.*

24.0

25.*

25.0

26.*

26.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-4q27-4rrq-fx95/GHSA-4q27-4rrq-fx95.json"