WWBN AVideo is an open-source video platform that, prior to version 24.0, included a critical security flaw related to improper authentication (CWE-287) and insecure configuration (CWE-668). The official docker-compose.yml configuration published the memcached service on host port 11211 bound to 0.0.0.0, making it accessible from any network interface without authentication. Memcached, by default, does not implement authentication, so any attacker who can reach this port can interact with the memcached instance. PHP sessions for AVideo users are stored in this memcached instance, meaning session data is stored in-memory and accessible via memcached commands. An attacker can read session data to hijack active sessions, modify session data to impersonate administrators or other users, or flush all sessions to cause denial of service by forcing users to re-authenticate. This vulnerability is exploitable remotely without any privileges or user interaction, though network access to port 11211 is required. The CVSS 3.1 score of 8.1 reflects the high impact on confidentiality, integrity, and availability, with a higher attack complexity due to the need for network access. The issue was addressed in version 24.0 by removing the exposed memcached port or securing it properly, preventing unauthorized access to session data.

The vulnerability allows attackers to compromise user sessions, including those of administrators, leading to full account takeover and unauthorized access to sensitive video content and administrative functions. This can result in data breaches, unauthorized content manipulation, and disruption of service through mass session invalidation. Organizations using vulnerable versions of AVideo with exposed memcached ports risk significant operational disruption, loss of user trust, and potential regulatory consequences if user data is compromised. The ability to hijack sessions without authentication or user interaction makes this vulnerability particularly dangerous in environments where memcached is exposed to untrusted networks, such as public cloud deployments or misconfigured internal networks.

Upgrade all WWBN AVideo instances to version 24.0 or later, which patches this vulnerability by securing or removing the exposed memcached port. If upgrading is not immediately possible, restrict network access to port 11211 using firewall rules or network segmentation to allow only trusted hosts to connect. Avoid exposing memcached services to public or untrusted networks. Consider configuring memcached to use SASL authentication or switch PHP session storage to a more secure backend that supports authentication and encryption. Regularly audit docker-compose and deployment configurations to ensure no sensitive services are exposed unintentionally. Monitor network traffic for unusual access to memcached ports and implement intrusion detection rules to alert on suspicious activity targeting memcached.