DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-6W2R-CFPC-23R5: GHSA-6w2r-cfpc-23r5: Unauthenticated IDOR in AVideo Playlist Endpoints

#security #cve #cybersecurity #ghsa

GHSA-6w2r-cfpc-23r5: Unauthenticated IDOR in AVideo Playlist Endpoints

Vulnerability ID: GHSA-6W2R-CFPC-23R5
CVSS Score: 6.9
Published: 2026-03-07

A critical Insecure Direct Object Reference (IDOR) vulnerability exists in the AVideo platform (formerly YouPHPTube) prior to version 25.0. The flaw allows unauthenticated remote attackers to retrieve private playlist information—including 'Watch Later' lists, 'Favorites', and custom private collections—for any user on the system. The vulnerability resides in the /objects/playlistsFromUser.json.php and /objects/playlistsFromUserVideos.json.php endpoints, which fail to validate the requester's identity or authorization level before querying the database with a flag that exposes non-public data.

TL;DR

Unauthenticated attackers can dump private playlists (Favorites, Watch Later) of any AVideo user by querying specific JSON endpoints with a target User ID. Fixed in version 25.0.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-639 (Authorization Bypass Through User-Controlled Key)
  • CVSS v4.0: 6.9 (Medium)
  • Attack Vector: Network (Unauthenticated)
  • Impact: Information Disclosure (Confidentiality)
  • Affected Component: objects/playlistsFromUser.json.php
  • Fix Version: 25.0

Affected Systems

  • AVideo < 25.0
  • AVideo: < 25.0 (Fixed in: 25.0)

Code Analysis

Commit: 12adc66

Fix playlist disclosure by adding authentication checks

@@ -1,6 +1,10 @@
-$row = PlayList::getAllFromUser($_GET['users_id'], false);
+$publicOnly = true;
+if (User::isLogged() && (User::isAdmin() || User::getId() == $_GET['users_id'])) {
+    $publicOnly = false;
+}
+$row = PlayList::getAllFromUser($_GET['users_id'], $publicOnly);
Enter fullscreen mode Exit fullscreen mode

Mitigation Strategies

  • Update AVideo to version 25.0 or later immediately.
  • Implement WAF rules to block access to sensitive /objects/ endpoints if patching is delayed.
  • Audit access logs for sequential requests to playlistsFromUser.json.php to identify potential data scraping.

Remediation Steps:

  1. Navigate to the AVideo installation directory.
  2. Pull the latest changes from the official repository: git pull origin master.
  3. Verify the version matches or exceeds 25.0.
  4. Specifically verify the file objects/playlistsFromUser.json.php contains the logic if (User::isLogged() && ...).

References

Read the full report for GHSA-6W2R-CFPC-23R5 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)