WWBN AVideo is an open-source video platform widely used for video hosting and streaming. In versions up to and including 26.0, the endpoint plugin/Permissions/View/Users_groups_permissions/list.json.php suffers from a missing authorization vulnerability (CWE-862). This endpoint allows unauthenticated users to access the complete permission matrix that maps user groups to their plugin permissions without any authentication or authorization checks. This contrasts with sibling endpoints in the same directory, such as add.json.php, delete.json.php, and index.php, which correctly require administrative privileges via User::isAdmin(). The vulnerability arises from an oversight in access control implementation, exposing sensitive authorization data that could aid attackers in reconnaissance and planning further attacks. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) indicates network attack vector, low attack complexity, no privileges or user interaction required, and limited confidentiality impact without integrity or availability impact. Although no known exploits are reported in the wild, the exposure of permission mappings could facilitate privilege escalation or targeted attacks if combined with other vulnerabilities. The vendor has addressed this issue in commits dc3c825734628bb32550d0daa125f05bacb6829c and b583acdc9a9d1eab461543caa363e1a104fb4516.

The primary impact of this vulnerability is unauthorized disclosure of sensitive authorization information, specifically the permission matrix that details which user groups have access to which plugins. This information leakage can aid attackers in understanding the internal permission structure of the platform, enabling more precise and effective attacks such as privilege escalation, targeted exploitation of plugins, or social engineering attacks. While the vulnerability does not directly allow modification or denial of service, the confidentiality breach can have cascading effects on organizational security posture. Organizations relying on AVideo for video content delivery may face increased risk of targeted attacks against their video platform infrastructure. Additionally, if attackers combine this information with other vulnerabilities or compromised accounts, they could escalate privileges or disrupt services. The impact is particularly relevant for organizations hosting sensitive or proprietary video content or those integrating AVideo into larger enterprise systems.

Organizations using WWBN AVideo versions 26.0 or earlier should immediately update to a patched version that includes the fixes from commits dc3c825734628bb32550d0daa125f05bacb6829c and b583acdc9a9d1eab461543caa363e1a104fb4516. If immediate patching is not possible, administrators should restrict access to the affected endpoint via network controls such as web application firewalls or reverse proxies to block unauthenticated requests to plugin/Permissions/View/Users_groups_permissions/list.json.php. Conduct a thorough review of user group permissions and plugin assignments to ensure least privilege principles are enforced. Monitor logs for unusual access patterns to permission-related endpoints. Additionally, implement regular security audits of access control mechanisms in custom or third-party plugins to prevent similar oversights. Educate developers and administrators on the importance of consistent authorization checks across all endpoints, especially those exposing sensitive configuration or permission data.