WWBN AVideo is an open-source video platform that allows content owners to password-protect individual videos. In versions up to and including 26.0, the platform stores these video passwords in plaintext within its database, without any hashing, salting, or encryption. This practice violates secure credential storage principles and is classified under CWE-312 (Cleartext Storage of Sensitive Information). If an attacker gains read access to the database—through means such as SQL injection vulnerabilities, access to database backups, or misconfigured access controls—they can retrieve all video passwords in cleartext. This compromises the confidentiality and integrity of the protected video content, potentially allowing unauthorized access to restricted videos. The vulnerability does not require authentication or user interaction, but exploitation depends on the attacker’s ability to read the database. A patch has been committed (commit f2d68d2adbf73588ea61be2b781d93120a819e36) to remediate this issue by implementing proper password protection mechanisms. The CVSS 4.0 score of 9.1 indicates a critical severity, emphasizing the high impact and the need for immediate remediation.

The primary impact of this vulnerability is the compromise of confidentiality and integrity of password-protected videos hosted on AVideo platforms. Attackers who gain read access to the database can obtain all video passwords in plaintext, enabling unauthorized viewing of restricted content. This can lead to intellectual property theft, privacy violations, and reputational damage for organizations relying on AVideo to secure sensitive or proprietary video content. Additionally, if attackers leverage SQL injection or other database access vulnerabilities, this issue can be part of a larger attack chain compromising broader system components. Organizations worldwide using AVideo are at risk, especially those hosting sensitive or commercial video content. The exposure of passwords may also facilitate further attacks if users reuse passwords elsewhere. The vulnerability’s critical severity underscores the potential for significant operational and legal consequences if exploited.

1. Immediately apply the patch referenced by commit f2d68d2adbf73588ea61be2b781d93120a819e36 or upgrade to a version of AVideo that addresses this vulnerability. 2. Review and tighten database access controls to ensure only authorized personnel and services have read access to sensitive data. 3. Conduct thorough security assessments to identify and remediate any SQL injection or other vulnerabilities that could allow unauthorized database access. 4. Implement encryption at rest for database storage to add an additional layer of protection for sensitive data. 5. Regularly audit database backups and ensure they are securely stored and access-controlled. 6. Educate developers and administrators on secure password storage best practices, including hashing with salts and encryption. 7. Monitor logs and alerts for unusual database access patterns that could indicate exploitation attempts. 8. Consider implementing multi-factor authentication and network segmentation to reduce the risk of lateral movement if an attacker gains initial access.