(Platform: Video-Streaming Platform), Authorization Bypass, CVE-2025-XXXX (Critical)

Listen to this Post

How the mentioned CVE works

The vulnerability exists in the `plugin/PlayLists/View/Playlists_schedules/add.json.php` endpoint, which fails to verify ownership of the target playlist. The script only checks if the authenticated user has streaming permissions via User::canStream(), but does not validate if the user owns the `playlists_id` being targeted. The attacker-controlled `playlists_id` parameter is directly passed to the `Playlists_schedules` object and saved without any ownership verification. The `save()` method merely checks that the `playlists_id` is not empty. When the schedule executes via plugin/PlayLists/run.php, the rebroadcast runs under the playlist owner’s user ID, not the schedule creator’s. This occurs because `run.php` retrieves the playlist owner’s ID ($pl->getUsers_id()) and uses it in Rebroadcaster::rebroadcastVideo(). In contrast, other endpoints like `saveShowOnTV.json.php` and `playListToSerie.php` use `PlayLists::canManagePlaylist()` to enforce ownership. Additionally, providing an existing schedule `id` in the POST request modifies any schedule without verifying ownership of the existing record. The `delete.json.php` endpoint requires admin privileges, highlighting the disparity.

dailycve form

Platform: Streaming Platform
Version: Affected versions
Vulnerability : Auth Bypass
Severity: Critical
date: 2026-03-30

Prediction: 2026-04-15

What Undercode Say:

Enumerate playlist IDs (example)
curl -X GET 'https://target.com/plugin/PlayLists/getAll.json.php' -H 'Cookie: PHPSESSID=<attacker_session>'
PoC: Create schedule on victim's playlist
curl -X POST 'https://target.com/plugin/PlayLists/View/Playlists_schedules/add.json.php' \
-H 'Cookie: PHPSESSID=<attacker_session>' \
-d 'playlists_id=<VICTIM_PLAYLIST_ID>&name=hijacked&start_datetime=2026-03-26+12:00:00&finish_datetime=2026-03-27+12:00:00&loop=1&repeat=d'

Exploit:

Attacker authenticates with streaming rights. Sends POST request to `add.json.php` with victim’s `playlists_id` and schedule parameters. The endpoint creates a schedule without ownership check. When triggered, `run.php` executes rebroadcast using victim’s identity, hijacking their playlist content.

Protection from this CVE

Apply patch adding `PlayLists::canManagePlaylist()` check in add.json.php. Validate ownership for both new schedules and existing schedule modifications before saving. Implement input validation and ensure all playlist operations enforce proper authorization.

Impact

Content hijacking of private/paid streams, disruption of live broadcasts, identity abuse causing victim-initiated appearance, unauthorized bandwidth consumption, and tampering with existing broadcast schedules.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top