https://vulnerability.circl.lu/sightings/feedMost recent sightings.2026-06-18T13:49:37.687940+00:00Vulnerability-Lookupinfo@circl.lupython-feedgenContains only the most 10 recent sightings.https://vulnerability.circl.lu/sighting/d228e94e-df93-4487-8da5-b6997baa9856/exportd228e94e-df93-4487-8da5-b6997baa98562026-06-18T13:49:38.046635+00:00Automation userhttps://vulnerability.circl.lu/user/automation{"uuid": "d228e94e-df93-4487-8da5-b6997baa9856", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-QXVM-R42F-5P8J", "type": "seen", "source": "https://gist.github.com/alon710/3f6e131558b54840867035277f5b43a2", "content": "# GHSA-QXVM-R42F-5P8J: GHSA-QXVM-R42F-5P8J: Authentication Bypass via Meet Plugin in AVideo\n\n> **CVSS Score:** 9.8\n> **Published:** 2026-05-15\n> **Full Report:** https://cvereports.com/reports/GHSA-QXVM-R42F-5P8J\n\n## Summary\nAVideo is vulnerable to a critical authentication bypass within the Meet plugin. An attacker possessing the Meet shared secret can impersonate any user, including administrators, by supplying a crafted filename to the video upload endpoint, leading to complete system compromise.\n\n## TL;DR\nA flaw in AVideo's Meet plugin allows authentication bypass and arbitrary user impersonation. By exploiting an insecure passwordless login mechanism linked to video file uploads, an attacker can obtain administrative access.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-287 / CWE-288 / CWE-306\n- **Attack Vector**: Network\n- **Authentication**: Shared Secret Required\n- **Impact**: Administrative Privilege Escalation\n- **Exploit Status**: Proof of Concept\n- **Vulnerable Component**: uploadRecordedVideo.json.php\n\n## Affected Systems\n\n- AVideo (formerly YouPHPTube)\n- AVideo Meet Plugin\n- **AVideo Meet Plugin**: All unpatched versions (Fixed in: `Latest repository commit`)\n\n## Mitigation\n\n- Update AVideo and the Meet plugin to the latest available releases.\n- Rotate the Meet shared secret to a newly generated, highly entropic value.\n- Restrict access to the `uploadRecordedVideo.json.php` endpoint via WAF or web server configuration to authorized meeting infrastructure IP addresses only.\n\n**Remediation Steps:**\n1. Navigate to the AVideo administration panel and review installed plugins.\n2. Pull the latest codebase from the WWBN/AVideo master branch or apply the latest release tags.\n3. Access the Meet plugin configuration and generate a new random string for the 'Meet shared secret'.\n4. Update all authorized meeting instances with the newly generated secret.\n5. Restart the web service to clear any active sessions potentially established by attackers.\n\n## References\n\n- [AVideo Official Repository](https://github.com/WWBN/AVideo)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/GHSA-QXVM-R42F-5P8J) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-05-15T19:40:30.000000Z"}2026-05-15T19:40:30+00:00