WWBN AVideo is an open-source video platform widely used for live streaming and video hosting. In versions up to and including 26.0, the standalone live stream control endpoint at plugin/Live/standAloneFiles/control.json.php contains a critical improper authentication vulnerability (CWE-287). The endpoint accepts a user-supplied parameter named streamerURL, which determines the destination for token verification requests. Due to insufficient validation, an attacker can supply a malicious streamerURL pointing to a server they control. This malicious server can respond with a fabricated JSON response indicating no error ("{"error": false}"), effectively bypassing the platform's authentication mechanism. Exploiting this flaw grants attackers unauthenticated control over live stream management functions, including forcibly dropping active stream publishers, starting or stopping recordings, and probing whether streams exist. The vulnerability is remotely exploitable over the network without any privileges or user interaction, making it highly dangerous. The issue was addressed in a patch committed under hash 388fcd57dbd16f6cb3ebcdf1d08cf2b929941128. The CVSS v3.1 base score is 9.4 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H), reflecting the ease of exploitation and significant impact on integrity and availability, though confidentiality impact is low. No known exploits in the wild have been reported yet.

This vulnerability allows attackers to bypass authentication controls on live stream management, which can severely disrupt video streaming services. Attackers can terminate ongoing streams, preventing legitimate broadcasters from reaching their audience, or manipulate recordings, potentially causing data loss or unauthorized content manipulation. The ability to probe stream existence can also aid in reconnaissance for further attacks. For organizations relying on AVideo for live events, education, or corporate communications, this can result in significant operational disruption, reputational damage, and potential financial loss. The lack of authentication requirement and ease of exploitation increase the risk of widespread abuse, especially in environments where live streaming is critical. Additionally, attackers could use this access to interfere with content integrity and availability, undermining trust in the platform.

Organizations using WWBN AVideo versions 26.0 or earlier must immediately apply the patch available in commit 388fcd57dbd16f6cb3ebcdf1d08cf2b929941128 to fix the improper authentication flaw. Until patched, administrators should restrict access to the vulnerable endpoint by implementing network-level controls such as IP whitelisting or firewall rules to limit access to trusted users only. Monitoring and logging of live stream control endpoint requests should be enhanced to detect suspicious or anomalous activity, such as unexpected streamerURL parameters or unusual control commands. Additionally, consider deploying Web Application Firewalls (WAFs) with custom rules to block requests attempting to redirect token verification externally. Regularly audit and review live stream management logs to identify potential unauthorized actions. Finally, educate users and administrators about the risk and ensure that all components of the AVideo platform are kept up to date with security patches.