AVideo, Unauthenticated User Enumeration, CVE-2026-43881 (Medium)

Listen to this Post

The original CVE-2026-43881 allowed unauthenticated user enumeration via objects/users.json.php by supplying an isCompany parameter to bypass admin checks. The incomplete fix in commit d9cdc7024 patched users.json.php but left a sibling endpoint, objects/mention.json.php, unprotected. At line 17, mention.json.php lacks any authentication or admin check. The only input validation is a weak regex `preg_match(‘/^@/’, $_REQUEST[‘term’])` which only requires the search term to start with an `@` symbol. There is no `User::loginCheck()` nor an admin gate. The hard-coded rowCount of 10 limits the number of returned results, but an attacker can still enumerate up to 10 usernames per request. By making repeated requests with different prefixes or brute‑forcing the term parameter, an attacker can harvest many usernames. This anti‑pattern survives in the current master HEAD, allowing any unauthenticated visitor to list usernames by calling objects/mention.json.php?term=@. The endpoint returns JSON objects containing user identification strings (display names) without any permission verification.

dailycve form

Platform: AVideo (WWBN)
Version: ≤29.0
Vulnerability: unauthenticated user enumeration
Severity: Medium
Date: 2026-05-18

Prediction: Patch expected 2026-06-18

What Undercode Say:

Test for unauthenticated user enumeration via mention.json.php
curl -s "http://target.local/objects/mention.json.php?term=@" | jq .
Enumerate specific usernames by brute-forcing the term parameter
for i in {a..z}; do
curl -s "http://target.local/objects/mention.json.php?term=@$i" | jq -r '.[].identification' >> usernames.txt
done
Extract identification (username) from JSON response
curl -s "http://target.local/objects/mention.json.php?term=@" | jq -r '.[].identification'

Exploit:

  1. Send a GET request to `objects/mention.json.php` with the parameter term=@.
  2. The endpoint returns up to 10 user entries (each containing id, identification, etc.).
  3. Change the `term` value to @a, @b, etc., to enumerate all usernames.
  4. Combine the harvested usernames for further attacks (e.g., password spraying, phishing).

Protection from this CVE:

  • Immediately upgrade to a version that contains a complete fix (once available).
  • If no patch is yet released, apply a temporary Web Application Firewall (WAF) rule to block requests to `objects/mention.json.php` from unauthenticated sources.
  • Alternatively, manually add an authentication check at the top of objects/mention.json.php:
    if (!User::isLogged()) {
    return [];
    }
    
  • Monitor logs for suspicious patterns like many requests to `mention.json.php` with varying `term` values.

Impact:

  • An attacker can compile a list of valid usernames without any credentials.
  • The harvested usernames can be used for targeted credential stuffing, password spraying, or social engineering attacks.
  • User privacy is violated because usernames (and potentially other profile details) are exposed to unauthenticated visitors.
  • The vulnerability lowers the barrier for more severe attacks, increasing the risk of account takeover and data breach.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top