Listen to this Post
The vulnerability exists in `objects/sendEmail.json.php` due to improper routing logic. When `contactForm` parameter is omitted, the code sets `$sendTo` to attacker-controlled `$_POST[’email’]` (line 35). For unauthenticated users, `User::getEmail_()` returns empty string (user.php:345-352), causing `$replyTo` to fall back to site’s contact email (line 32). The endpoint then calls `setSiteSendMessage($mail)` which uses the site’s own SMTP credentials (line 25). Subsequently, `$mail->setFrom($replyTo)` and `$mail->AddReplyTo($replyTo)` set the site’s legitimate email as both sender and reply-to (lines 44-45). `$mail->addAddress($sendTo)` sends the message to the attacker’s target victim (line 47). The endpoint is listed as a “public write action” in objects/functionsSecurity.php:885, bypassing authentication and CSRF checks. A valid CAPTCHA solve is required, but that can be manually bypassed for targeted attacks. No rate limiting or authorization ties the caller to the recipient. The email body and subject are fully attacker-controlled via `comment` and `first_name` fields, with HTML escaping only preventing injection but not phishing content. Since the site’s own mail infrastructure relays the message, SPF/DKIM/DMARC all pass, making the phishing email indistinguishable from legitimate site mail.
dailycve form:
Platform: AVideo
Version: All SMTP-enabled
Vulnerability : Unauthenticated email abuse
Severity: Critical
date: Not assigned
Prediction: No patch yet
What Undercode Say:
Identify vulnerable endpoint curl -X POST http://target/objects/sendEmail.json.php --data-urlencode "captcha=<solved>" --data-urlencode "[email protected]" --data-urlencode "first_name=Phish" --data-urlencode "comment=Click link" Automate with captcha solver (hypothetical) for email in $(cat targets.txt); do curl -s -X POST http://target/objects/sendEmail.json.php --data "captcha=$(solve_captcha)&email=$email&first_name=Support&comment=Reset password"; done
Exploit:
Send POST request omitting contactForm=1; supply any valid captcha, recipient email, and malicious message. Server returns {"error":"","success":"Message sent"}. Victim receives email from site’s real contact address with attacker’s phishing text.
Protection from this CVE:
Patch by rejecting non-contactForm requests for unauthenticated users. Use `no-reply` address as From:, place caller email only in Reply-To. Add rate limiting and require logged-in session for sharing flows.
Impact:
Full sender spoofing with valid SPF/DKIM/DMARC, enabling targeted phishing, brand impersonation, and account takeover. Site’s mail reputation can be blacklisted. Works on any default AVideo deployment with SMTP configured.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
