WWBN AVideo is an open-source video platform used for hosting and managing video content. In versions up to and including 26.0, a critical authorization flaw (CWE-863) exists that allows privilege escalation by users assigned the 'Videos Moderator' role. This role is documented to permit only changes to video publicity status (Active, Inactive, Unlisted). However, due to inconsistent authorization logic, these users can escalate privileges to perform full video management operations, including transferring ownership and deleting any video. The root cause lies in the use of the 'Permissions::canModerateVideos()' function as an authorization gate in 'videoAddNew.json.php' for full video editing, while 'videoDelete.json.php' only checks if the user owns the video before allowing deletion. This asymmetry enables a two-step attack: first, the attacker transfers ownership of a target video to themselves, then deletes it, bypassing intended restrictions. The vulnerability has a CVSS 3.1 score of 7.6 (high severity), reflecting network attack vector, low attack complexity, privileges required, no user interaction, and impacts on confidentiality, integrity, and availability. Although no known exploits are currently reported, the vulnerability poses a significant risk to the integrity and availability of video content on affected installations. A patch addressing this issue is available in commit 838e16818c793779406ecbf34ebaeba9830e33f8.

This vulnerability allows attackers with limited privileges to escalate their permissions and fully control video content, including deleting or transferring ownership of any video on the platform. The impact includes unauthorized deletion or modification of video content, leading to loss of data integrity and availability. Confidentiality is also affected as unauthorized users may gain control over videos they should not manage. Organizations relying on WWBN AVideo for content delivery, especially those with multiple user roles, risk content sabotage, disruption of service, and potential reputational damage. Since the attack requires only low privileges and no user interaction, it can be exploited remotely by insiders or compromised accounts with 'Videos Moderator' permissions. This could disrupt business operations, cause data loss, and undermine trust in the platform’s security controls.

Organizations should immediately update WWBN AVideo to a version that includes the patch from commit 838e16818c793779406ecbf34ebaeba9830e33f8 or later. Until patched, restrict the 'Videos Moderator' permission to trusted users only and audit current users assigned this role. Implement additional monitoring and alerting for unusual video ownership changes or deletions. Review and harden authorization logic in custom deployments to ensure consistent permission checks across all video management operations. Employ role-based access control (RBAC) best practices to minimize privilege assignments. Regularly audit logs for suspicious activity related to video management. Consider isolating critical video content or using external backup solutions to mitigate potential data loss from unauthorized deletions.