Listen to this Post
How the CVE Works:
CVE-2025-48255 is a Cross-Site Request Forgery (CSRF) vulnerability in VideoWhisper’s Broadcast Live Video platform (supporting WebRTC, HLS, RTSP, RTMP). Attackers can craft malicious requests that execute unauthorized actions when an authenticated admin visits a malicious page. Since the application does not validate CSRF tokens, attackers can manipulate streaming settings, hijack sessions, or disrupt broadcasts. The flaw affects versions up to 6.2.4.
DailyCVE Form:
Platform: VideoWhisper Live Streaming
Version: ≤6.2.4
Vulnerability: CSRF
Severity: Medium
Date: 05/29/2025
Prediction: Patch expected by 07/2025
What Undercode Say:
Analytics:
- Exploitability: Low (requires user interaction)
- Attack Vector: Network-based
- Impact: Integrity compromise
Exploit Example (PoC):
<form action="http://target/admin/update_settings" method="POST"> <input type="hidden" name="stream_url" value="attacker-server.com/malicious"> </form> <script>document.forms[bash].submit();</script>
Protection Commands:
1. WAF Rule (ModSecurity):
SecRule ARGS "@contains update_settings" "id:1001,deny,msg:'CSRF Attempt'"
2. PHP Mitigation:
if ($_SERVER['HTTP_REFERER'] !== 'https://trusted-domain.com') {
die("CSRF Detected");
}
Patch Verification:
curl -I http://target/version | grep "X-CSRF-Token"
References:
- Patchstack Advisory: PSA-2025-48255
- NVD CVSS: 6.5 (Medium)
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
