AVideo, OAuth Password Hash Exposure (Critical)

By /

Listen to this Post

How the CVE works

The vulnerability exists in `plugin/MobileManager/oauth2.php` when completing an OAuth login. After the victim authorizes with a provider (e.g., Google), the server redirects with: Location: oauth2Success.php?user=<email>&pass=<HASH>.
`` is the raw stored password hash from the `users` table, generated as md5(hash("whirlpool", sha1(password))). The hash is appended to a GET URL, exposing it to web server access logs, proxy logs, browser history, and the `Referer` header.
Separately, `objects/login.json.php` accepts an `encodedPass=1` flag. When this flag is used, the login function `encryptPasswordVerify()` compares the supplied password directly as a string against the stored hash, skipping all hashing.
Thus, an attacker who captures the leaked hash can replay it with `encodedPass=1` to log in as the victim without ever knowing the plaintext password. The flow is fully stateless, requires no CSRF token, and works on the first attempt. The hash remains valid until the victim changes their password.
Compounding the issue: the redirect is a raw `Location:` (GET), the hash travels in the URL, and the same hash is accepted as a credential via encodedPass=1.

dailycve form

Platform: AVideo
Version: Not specified
Vulnerability: OAuth hash leak
Severity: Critical
Date: 2026-05-05

Prediction: Two weeks patch

What Undercode Say:

Extract leaked hashes from access logs
grep "oauth2Success.php?pass=" /var/log/nginx/access.log
Replay captured hash to takeover account
curl -i 'https://target/objects/[email protected]&pass=9d7ab4...&encodedPass=1'
Monitor for suspicious encodedPass usage
grep "encodedPass=1" /var/log/nginx/access.log | jq .

Exploit:

Attacker obtains `` from logs/history/referrer, then sends GET request to `/objects/login.json.php` with parameters user=<email>&pass=<HASH>&encodedPass=1. Server returns 200 OK with session cookie and admin flag if victim is admin.

Protection from this CVE

  • Never place password hash in URL; use server-side session after OAuth (as in objects/login.json.php:143-146).
  • Remove or hard-restrict `encodedPass` branch; replace with short-lived bearer token.
  • Enforce `Referrer-Policy: no-referrer` on oauth2Success.php.
  • Strip query strings containing `pass=` from access logs.

Impact

Full account takeover of any user who used MobileManager OAuth. Admin compromise leads to complete AVideo instance control. Credential equivalent works indefinitely until password change.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top