WWBN AVideo is an open-source video platform that supports password-protected videos. In versions up to and including 26.0, the API endpoint get_api_video_password_is_correct allows any unauthenticated user to verify if a given password is correct for any password-protected video. The endpoint responds with a boolean field passwordIsCorrect without enforcing any rate limiting, CAPTCHA challenges, or authentication requirements. This design flaw constitutes an improper restriction of excessive authentication attempts (CWE-307), enabling attackers to perform brute-force attacks at offline speeds against video passwords. Because the endpoint provides immediate feedback on password correctness, attackers can automate password guessing attempts rapidly and efficiently. The vulnerability affects confidentiality by potentially exposing protected video content to unauthorized users. The issue has been patched in a commit identified as 01a0614fedcdaee47832c0d913a0fb86d8c28135. The CVSS v3.1 base score is 5.3 (medium severity), reflecting network attack vector, low attack complexity, no privileges or user interaction required, and limited confidentiality impact. No known exploits have been reported in the wild to date.

The primary impact of this vulnerability is the compromise of confidentiality for password-protected videos hosted on vulnerable WWBN AVideo instances. Attackers can gain unauthorized access to protected video content by brute-forcing passwords without detection or mitigation controls. This can lead to exposure of sensitive or proprietary video content, intellectual property theft, privacy violations, or reputational damage for organizations relying on AVideo for secure video delivery. Since the vulnerability does not affect integrity or availability, the core platform functionality remains intact, but unauthorized content access can have significant business and legal consequences. The lack of rate limiting and authentication requirements increases the risk of large-scale automated attacks, especially against weak or commonly used passwords. Organizations using AVideo in sectors such as education, media, corporate training, or healthcare may face increased risk due to the sensitive nature of video content. The absence of known exploits in the wild suggests limited active exploitation currently, but the vulnerability’s ease of exploitation and direct impact on confidentiality warrant prompt remediation.

Organizations should immediately upgrade WWBN AVideo to a version that includes the patch from commit 01a0614fedcdaee47832c0d913a0fb86d8c28135 or later. If upgrading is not immediately possible, implement compensating controls such as: 1) Deploying web application firewalls (WAFs) to detect and block rapid repeated requests to the get_api_video_password_is_correct endpoint. 2) Introducing custom rate limiting or CAPTCHA mechanisms at the API gateway or reverse proxy level to throttle brute-force attempts. 3) Enforcing strong password policies for video passwords, including minimum length and complexity requirements, to reduce brute-force feasibility. 4) Monitoring logs for abnormal access patterns or repeated password verification attempts and alerting security teams. 5) Restricting API endpoint access via network segmentation or IP whitelisting where feasible. 6) Educating users and administrators about the risks of weak passwords and the importance of timely patching. These measures, combined with patching, will significantly reduce the risk of exploitation.