AVideo Information Disclosure Scanner

AVideo is a video-sharing platform used by content creators and businesses to upload, share, and monetize videos. It is widely used by media companies, educational institutions, and independent creators for its customization capabilities and user-friendly interface. The platform supports multiple video formats and provides features like live streaming, video ranking, and user subscriptions. Organizations utilize AVideo to engage audiences, provide educational content, and facilitate video communications within corporate environments. It integrates with various plugins and tools that extend its functionality, making it a flexible solution for video content management. Due to its popularity, maintaining security within AVideo is crucial to protect user data and ensure seamless operations.

The detected vulnerability in AVideo involves information disclosure, which can lead to sensitive user data being revealed. Information disclosure occurs when an application inadvertently exposes sensitive data such as user names, email addresses, and other personal information. This vulnerability often arises due to improper access controls or misconfigurations that allow unauthorized users to access data. Attackers may exploit this to gather personal information, which can be used for nefarious purposes such as phishing or identity theft. Information disclosure vulnerabilities can degrade user trust and compromise privacy, underscoring the importance of securing application data.

Technically, the vulnerability resides in the endpoint "/objects/playlistsFromUser.json.php?users_id=1", where sensitive user information is displayed. The vulnerability is exploited by sending a GET request to this endpoint, which returns user details such as "name", "email", and "channelName". Unauthorized users can access this data if proper access controls are not enforced. The absence of adequate checks facilitates information leakage, exposing sensitive user attributes to attackers. The vulnerability is significant due to the nature of information disclosed and the ease with which it can be exploited.

When malicious actors exploit this vulnerability, it can lead to significant repercussions for users and the organization. Personal information such as user names and email addresses can be harvested and used for spear-phishing attacks, increasing the risk of identity theft. The exposure of such sensitive data undermines user privacy and can lead to a loss of trust in the platform. Furthermore, the organization may face legal implications if regulatory requirements for data protection are not met. Addressing this vulnerability is crucial to maintaining the integrity and confidentiality of user data.

REFERENCES

• https://github.com/WWBN/AVideo