Listen to this Post
How the CVE Works
The vulnerability exists in `plugin/Live/uploadPoster.php` which handles poster image uploads for live streams. The endpoint accepts a `live_schedule_id` from `$_REQUEST` (line 11-12) to identify the target schedule. It verifies the user is logged in using `User::isLogged()` (line 14-17) but performs no ownership validation. An attacker can supply any numeric live_schedule_id, including those belonging to other users. The `Live_schedule` constructor loads schedule data by ID without authorization checks. File paths are generated using Live_schedule::getPosterPaths(), which builds paths solely from the provided ID. The uploaded file is moved to the victim’s poster path via `move_uploaded_file()` (line 48), overwriting the legitimate image. After a successful overwrite, the endpoint triggers a `socketLiveOFFCallback` broadcast (line 67-73). This uses `Live::notifySocketStats()` which calls sendSocketMessageToAll(), broadcasting the victim’s broadcast key and user ID to all connected WebSocket clients. The absence of an ownership check is an oversight, as parallel endpoints like `uploadPoster.json.php` and `view/Live_schedule/uploadPoster.php` contain proper authorization checks comparing the schedule owner’s user ID with the logged-in user.
dailycve form:
Platform: AVideo YouPHPTube
Version: 14.0 – 15.0
Vulnerability: Unauthorized Poster Overwrite
Severity: High
date: 2026-03-30
Prediction: 2026-04-15
What Undercode Say:
Enumerate live schedule IDs
for i in {1..100}; do echo "Checking ID $i"; curl -s -b cookies.txt "https://target.com/plugin/Live/uploadPoster.php?live_schedule_id=$i" -F "[email protected]" -F "live_servers_id=0"; done
Extract broadcast key from WebSocket notifications
Requires intercepting WebSocket traffic or analyzing socket.io logs
Exploit:
1. Authenticate as a low-privilege user.
- Send a POST request to `plugin/Live/uploadPoster.php` with a malicious image and a target
live_schedule_id. - The server overwrites the target poster without authorization.
- All connected WebSocket clients receive the victim’s broadcast key and user ID.
Protection from this CVE
- Apply patch adding ownership check: `if ($ls->getUsers_id() != User::getId() && !User::isAdmin()) { die(‘Not authorized’); }`
– Upgrade to patched version immediately. - Implement strict validation on all endpoints interacting with
live_schedule_id.
Impact
- Content Tampering: Attacker replaces any scheduled live stream poster with malicious images.
- Information Disclosure: Victim’s broadcast key and user ID are leaked to all WebSocket clients.
- Stream Disruption: Fake offline notifications mislead viewers, damaging stream availability.
- Privilege Escalation: Low-privilege users can affect any scheduled stream without ownership.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

