WWBN AVideo is an open source video platform. Prior to version 26.0, the HLS streaming endpoint (`view/hls.php`) is vulnerable to a path traversal attack that allows an unauthenticated attacker to stream any private or paid video on the platform. The `videoDirectory` GET parameter is used in two divergent code paths — one for authorization (which truncates at the first `/` segment) and one for file access (which preserves `..` traversal sequences) — creating a split-oracle condition where authorization is checked against one video while content is served from another.
Version 26.0 contains a fix for the issue.
Attack Parameters
Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Privileges Required
None
No privileges needed
User Interaction
None
No user interaction needed
Impact Assessment
Confidentiality
High
Complete data leak
Integrity
None
No data modification
Availability
None
No disruption
CVSS Vector v3.1
Weakness Type (CWE)
Vulnerable Products 1
| Configuration | From (including) | Up to (excluding) |
|---|---|---|
|
Wwbn Avideo
cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*
|
— |
26.0
|