WWBN AVideo plugin/LoginControl/set.json.php: 2FA toggle endpoint has no CSRF protection, letting an attacker page silently disable a logged-in victim's 2FA
WWBN AVideo is an open source video platform. In 29.0 and earlier, there is a cross-site request forgery vulnerability on the 2FA toggle. plugin/LoginControl/set.json.php accepts POST type=set2FA value=false, calls LoginControl::setUser2FA(User::getId(), false) on the session-authenticated user, and returns. There is no forbidIfIsUntrustedRequest() call, no isTokenValid() check, no X-CSRF-Token/SameSite enforcement, and no re-authentication step. A cross-origin page that the victim visits while logged into the AVideo dashboard issues the POST via a hidden form (or fetch without credentials:"omit") and disables the victim's 2FA in one request.
Problem Types
| Type | CWE ID | Description |
|---|
| CWE | CWE-306 | CWE-306: Missing Authentication for Critical Function |
| CWE | CWE-352 | CWE-352: Cross-Site Request Forgery (CSRF) |
Type: CWE
Description: CWE-306: Missing Authentication for Critical Function
Type: CWE
Description: CWE-352: Cross-Site Request Forgery (CSRF)
Metrics
| Version | Base score | Base severity | Vector |
|---|
| 3.1 | 5.7 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N |
Version: 3.1
Base score: 5.7
Base severity: MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N