CVE-2026-30885 (GCVE-0-2026-30885)
Vulnerability from cvelistv5 – Published: 2026-03-09 22:35 – Updated: 2026-03-10 14:12
VLAI?
Title
WWBN AVideo - Unauthenticated IDOR - Playlist Information Disclosure
Summary
WWBN AVideo is an open source video platform. Prior to 25.0, the /objects/playlistsFromUser.json.php endpoint returns all playlists for any user without requiring authentication or authorization. An unauthenticated attacker can enumerate user IDs and retrieve playlist information including playlist names, video IDs, and playlist status for any user on the platform. This vulnerability is fixed in 25.0.
Severity ?
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-30885",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-10T14:12:08.404089Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-10T14:12:14.963Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-6w2r-cfpc-23r5"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "AVideo",
"vendor": "WWBN",
"versions": [
{
"status": "affected",
"version": "\u003c 25.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "WWBN AVideo is an open source video platform. Prior to 25.0, the /objects/playlistsFromUser.json.php endpoint returns all playlists for any user without requiring authentication or authorization. An unauthenticated attacker can enumerate user IDs and retrieve playlist information including playlist names, video IDs, and playlist status for any user on the platform. This vulnerability is fixed in 25.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306: Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-09T22:35:59.663Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-6w2r-cfpc-23r5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-6w2r-cfpc-23r5"
},
{
"name": "https://github.com/WWBN/AVideo/commit/12adc66913724736937a61130ae2779c299445ca",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/WWBN/AVideo/commit/12adc66913724736937a61130ae2779c299445ca"
}
],
"source": {
"advisory": "GHSA-6w2r-cfpc-23r5",
"discovery": "UNKNOWN"
},
"title": "WWBN AVideo - Unauthenticated IDOR - Playlist Information Disclosure"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-30885",
"datePublished": "2026-03-09T22:35:59.663Z",
"dateReserved": "2026-03-06T00:04:56.700Z",
"dateUpdated": "2026-03-10T14:12:14.963Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2026-30885\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-10T17:40:14.730\",\"lastModified\":\"2026-03-13T15:20:47.880\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"WWBN AVideo is an open source video platform. Prior to 25.0, the /objects/playlistsFromUser.json.php endpoint returns all playlists for any user without requiring authentication or authorization. An unauthenticated attacker can enumerate user IDs and retrieve playlist information including playlist names, video IDs, and playlist status for any user on the platform. This vulnerability is fixed in 25.0.\"},{\"lang\":\"es\",\"value\":\"WWBN AVideo es una plataforma de video de c\u00f3digo abierto. Antes de 25.0, el endpoint /objects/playlistsFromUser.json.php devuelve todas las listas de reproducci\u00f3n para cualquier usuario sin requerir autenticaci\u00f3n o autorizaci\u00f3n. Un atacante no autenticado puede enumerar IDs de usuario y recuperar informaci\u00f3n de la lista de reproducci\u00f3n, incluyendo nombres de listas de reproducci\u00f3n, IDs de video y el estado de la lista de reproducci\u00f3n para cualquier usuario en la plataforma. Esta vulnerabilidad est\u00e1 corregida en 25.0.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"LOW\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"PROOF_OF_CONCEPT\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-306\"},{\"lang\":\"en\",\"value\":\"CWE-862\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-639\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"25.0\",\"matchCriteriaId\":\"8F7D4693-9554-407D-89B9-76D0C3B592AD\"}]}]}],\"references\":[{\"url\":\"https://github.com/WWBN/AVideo/commit/12adc66913724736937a61130ae2779c299445ca\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/WWBN/AVideo/security/advisories/GHSA-6w2r-cfpc-23r5\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/WWBN/AVideo/security/advisories/GHSA-6w2r-cfpc-23r5\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-30885\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-10T14:12:08.404089Z\"}}}], \"references\": [{\"url\": \"https://github.com/WWBN/AVideo/security/advisories/GHSA-6w2r-cfpc-23r5\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-10T14:12:02.724Z\"}}], \"cna\": {\"title\": \"WWBN AVideo - Unauthenticated IDOR - Playlist Information Disclosure\", \"source\": {\"advisory\": \"GHSA-6w2r-cfpc-23r5\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 5.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"WWBN\", \"product\": \"AVideo\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 25.0\"}]}], \"references\": [{\"url\": \"https://github.com/WWBN/AVideo/security/advisories/GHSA-6w2r-cfpc-23r5\", \"name\": \"https://github.com/WWBN/AVideo/security/advisories/GHSA-6w2r-cfpc-23r5\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/WWBN/AVideo/commit/12adc66913724736937a61130ae2779c299445ca\", \"name\": \"https://github.com/WWBN/AVideo/commit/12adc66913724736937a61130ae2779c299445ca\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"WWBN AVideo is an open source video platform. Prior to 25.0, the /objects/playlistsFromUser.json.php endpoint returns all playlists for any user without requiring authentication or authorization. An unauthenticated attacker can enumerate user IDs and retrieve playlist information including playlist names, video IDs, and playlist status for any user on the platform. This vulnerability is fixed in 25.0.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-306\", \"description\": \"CWE-306: Missing Authentication for Critical Function\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-862\", \"description\": \"CWE-862: Missing Authorization\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-09T22:35:59.663Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-30885\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-10T14:12:14.963Z\", \"dateReserved\": \"2026-03-06T00:04:56.700Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-09T22:35:59.663Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
FKIE_CVE-2026-30885
Vulnerability from fkie_nvd - Published: 2026-03-10 17:40 - Updated: 2026-03-13 15:20
Severity ?
Summary
WWBN AVideo is an open source video platform. Prior to 25.0, the /objects/playlistsFromUser.json.php endpoint returns all playlists for any user without requiring authentication or authorization. An unauthenticated attacker can enumerate user IDs and retrieve playlist information including playlist names, video IDs, and playlist status for any user on the platform. This vulnerability is fixed in 25.0.
References
| URL | Tags | ||
|---|---|---|---|
| security-advisories@github.com | https://github.com/WWBN/AVideo/commit/12adc66913724736937a61130ae2779c299445ca | Patch | |
| security-advisories@github.com | https://github.com/WWBN/AVideo/security/advisories/GHSA-6w2r-cfpc-23r5 | Exploit, Mitigation, Vendor Advisory | |
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | https://github.com/WWBN/AVideo/security/advisories/GHSA-6w2r-cfpc-23r5 | Exploit, Mitigation, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8F7D4693-9554-407D-89B9-76D0C3B592AD",
"versionEndExcluding": "25.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "WWBN AVideo is an open source video platform. Prior to 25.0, the /objects/playlistsFromUser.json.php endpoint returns all playlists for any user without requiring authentication or authorization. An unauthenticated attacker can enumerate user IDs and retrieve playlist information including playlist names, video IDs, and playlist status for any user on the platform. This vulnerability is fixed in 25.0."
},
{
"lang": "es",
"value": "WWBN AVideo es una plataforma de video de c\u00f3digo abierto. Antes de 25.0, el endpoint /objects/playlistsFromUser.json.php devuelve todas las listas de reproducci\u00f3n para cualquier usuario sin requerir autenticaci\u00f3n o autorizaci\u00f3n. Un atacante no autenticado puede enumerar IDs de usuario y recuperar informaci\u00f3n de la lista de reproducci\u00f3n, incluyendo nombres de listas de reproducci\u00f3n, IDs de video y el estado de la lista de reproducci\u00f3n para cualquier usuario en la plataforma. Esta vulnerabilidad est\u00e1 corregida en 25.0."
}
],
"id": "CVE-2026-30885",
"lastModified": "2026-03-13T15:20:47.880",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "PROOF_OF_CONCEPT",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2026-03-10T17:40:14.730",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/WWBN/AVideo/commit/12adc66913724736937a61130ae2779c299445ca"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Mitigation",
"Vendor Advisory"
],
"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-6w2r-cfpc-23r5"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"Exploit",
"Mitigation",
"Vendor Advisory"
],
"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-6w2r-cfpc-23r5"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-306"
},
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-639"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
GHSA-6W2R-CFPC-23R5
Vulnerability from github – Published: 2026-03-07 02:25 – Updated: 2026-03-10 18:43
VLAI?
Summary
AVideo has Unauthenticated IDOR - Playlist Information Disclosure
Details
Product: AVideo (https://github.com/WWBN/AVideo) Version: Latest (tested March 2026) Type: Insecure Direct Object Reference (IDOR) Auth Required: No User Interaction: None
Summary
The /objects/playlistsFromUser.json.php endpoint returns all playlists for any user without requiring authentication or authorization. An unauthenticated attacker can enumerate user IDs and retrieve playlist information including playlist names, video IDs, and playlist status for any user on the platform.
Root Cause
The endpoint accepts a users_id parameter and directly queries the database without any authentication or authorization check.
File: objects/playlistsFromUser.json.php
if (empty($_GET['users_id'])) {
die("You need a user");
}
// NO AUTHENTICATION CHECK
// NO AUTHORIZATION CHECK (does this user_id belong to the requester?)
$row = PlayList::getAllFromUser($_GET['users_id'], false);
echo json_encode($row);
There is no call to User::isLogged() or any comparison between the requesting user and the target users_id.
Affected Code
| File | Line | Issue |
|---|---|---|
objects/playlistsFromUser.json.php |
10-21 | No authentication or authorization check before returning playlist data |
Proof of Concept
Retrieve admin's playlists (user ID 1)
curl "https://TARGET/objects/playlistsFromUser.json.php?users_id=1"
Response:
[
{"id":false,"name":"Watch Later","status":"watch_later","users_id":1},
{"id":false,"name":"Favorite","status":"favorite","users_id":1}
]
Impact
- Privacy violation — any visitor can see all users' playlist names and contents
- User enumeration — valid user IDs can be discovered by iterating through IDs
- Information gathering — playlist names and video IDs reveal user interests and private content preferences
- Targeted attacks — gathered information can be used for social engineering or further exploitation
Remediation
Add authentication and authorization checks:
// Option 1: Require authentication + only own playlists
if (!User::isLogged()) {
die(json_encode(['error' => 'Authentication required']));
}
if ($_GET['users_id'] != User::getId() && !User::isAdmin()) {
die(json_encode(['error' => 'Access denied']));
}
// Option 2: If public playlists are intended, filter by visibility
$row = PlayList::getAllFromUser($_GET['users_id'], false, 'public');
Severity ?
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "wwbn/avideo"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "25.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-30885"
],
"database_specific": {
"cwe_ids": [
"CWE-306",
"CWE-862"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-07T02:25:48Z",
"nvd_published_at": "2026-03-10T17:40:14Z",
"severity": "MODERATE"
},
"details": "**Product:** AVideo (https://github.com/WWBN/AVideo)\n**Version:** Latest (tested March 2026)\n**Type:** Insecure Direct Object Reference (IDOR)\n**Auth Required:** No\n**User Interaction:** None\n\n## Summary\n\nThe `/objects/playlistsFromUser.json.php` endpoint returns all playlists for any user without requiring authentication or authorization. An unauthenticated attacker can enumerate user IDs and retrieve playlist information including playlist names, video IDs, and playlist status for any user on the platform.\n\n## Root Cause\n\nThe endpoint accepts a `users_id` parameter and directly queries the database without any authentication or authorization check.\n**File:** `objects/playlistsFromUser.json.php`\n\n```php\nif (empty($_GET[\u0027users_id\u0027])) {\n die(\"You need a user\");\n}\n// NO AUTHENTICATION CHECK\n// NO AUTHORIZATION CHECK (does this user_id belong to the requester?)\n$row = PlayList::getAllFromUser($_GET[\u0027users_id\u0027], false);\necho json_encode($row);\n```\n\nThere is no call to `User::isLogged()` or any comparison between the requesting user and the target `users_id`.\n\n## Affected Code\n\n| File | Line | Issue |\n|------|------|-------|\n| `objects/playlistsFromUser.json.php` | 10-21 | No authentication or authorization check before returning playlist data |\n\n## Proof of Concept\n\n### Retrieve admin\u0027s playlists (user ID 1)\n\n```bash\ncurl \"https://TARGET/objects/playlistsFromUser.json.php?users_id=1\"\n```\n\n**Response:**\n```json\n[\n {\"id\":false,\"name\":\"Watch Later\",\"status\":\"watch_later\",\"users_id\":1},\n {\"id\":false,\"name\":\"Favorite\",\"status\":\"favorite\",\"users_id\":1}\n]\n```\n\n\u003cimg width=\"1805\" height=\"365\" alt=\"image\" src=\"https://github.com/user-attachments/assets/a13c9c2f-29be-4399-98d2-7570ca30465a\" /\u003e\n\n\n## Impact\n\n- **Privacy violation** \u2014 any visitor can see all users\u0027 playlist names and contents\n- **User enumeration** \u2014 valid user IDs can be discovered by iterating through IDs\n- **Information gathering** \u2014 playlist names and video IDs reveal user interests and private content preferences\n- **Targeted attacks** \u2014 gathered information can be used for social engineering or further exploitation\n\n## Remediation\n\nAdd authentication and authorization checks:\n\n```php\n// Option 1: Require authentication + only own playlists\nif (!User::isLogged()) {\n die(json_encode([\u0027error\u0027 =\u003e \u0027Authentication required\u0027]));\n}\nif ($_GET[\u0027users_id\u0027] != User::getId() \u0026\u0026 !User::isAdmin()) {\n die(json_encode([\u0027error\u0027 =\u003e \u0027Access denied\u0027]));\n}\n\n// Option 2: If public playlists are intended, filter by visibility\n$row = PlayList::getAllFromUser($_GET[\u0027users_id\u0027], false, \u0027public\u0027);\n```",
"id": "GHSA-6w2r-cfpc-23r5",
"modified": "2026-03-10T18:43:57Z",
"published": "2026-03-07T02:25:48Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-6w2r-cfpc-23r5"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30885"
},
{
"type": "WEB",
"url": "https://github.com/WWBN/AVideo/commit/12adc66913724736937a61130ae2779c299445ca"
},
{
"type": "PACKAGE",
"url": "https://github.com/WWBN/AVideo"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "AVideo has Unauthenticated IDOR - Playlist Information Disclosure"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…