WWBN AVideo is an open-source video platform that allows users to create and manage video playlists. In versions up to and including 26.0, the endpoint objects/playlistsVideos.json.php returns the full video contents of any playlist when provided with a sequential integer playlist ID (playlists_id) parameter. Critically, this endpoint lacks any authentication or authorization checks, enabling unauthenticated attackers to retrieve private playlist contents simply by guessing or enumerating playlist IDs. While private playlists such as watch_later and favorite are correctly hidden from user-facing listing endpoints (playlistsFromUser.json.php), their contents remain exposed through this vulnerable endpoint. This represents a classic missing authorization vulnerability (CWE-862) combined with improper access control (CWE-639). The vulnerability allows unauthorized disclosure of potentially sensitive video content, violating user privacy. The issue was identified and patched in commit bb716fbece656c9fe39784f11e4e822b5867f1ca. The CVSS 3.1 base score is 5.3 (medium severity), reflecting network attack vector, low attack complexity, no privileges required, no user interaction, and impact limited to confidentiality loss only. No integrity or availability impacts are present. No known exploits have been reported in the wild as of the publication date.

The primary impact of this vulnerability is unauthorized disclosure of private video playlist contents. Attackers can access videos intended to be private, such as watch_later or favorite playlists, potentially exposing sensitive or personal content. This breach of confidentiality can lead to privacy violations for users and damage the reputation of organizations hosting sensitive video content. Since the vulnerability requires no authentication or user interaction and can be exploited remotely over the network, it presents a moderate risk. However, it does not allow modification or deletion of data, nor does it impact system availability. Organizations using WWBN AVideo versions up to 26.0 are at risk of data leakage, which could result in compliance violations if personal data is exposed. The scope includes any deployment exposing the vulnerable endpoint to untrusted networks.

Organizations should immediately upgrade WWBN AVideo to a version that includes the patch from commit bb716fbece656c9fe39784f11e4e822b5867f1ca or later. If upgrading is not immediately possible, implement network-level access controls to restrict access to the objects/playlistsVideos.json.php endpoint to authorized users only, such as via firewall rules or VPN access. Additionally, review and harden API endpoint authorization logic to ensure all sensitive data endpoints enforce strict authentication and authorization checks. Conduct thorough testing to verify that private playlists and their contents are no longer accessible without proper permissions. Monitor logs for unusual access patterns to playlist endpoints that may indicate exploitation attempts. Finally, educate developers and administrators about the importance of authorization checks on all API endpoints handling sensitive data.